- User contributions [en]

Template:U Quantal/Networking

Perspectoff — Sun, 19 May 2013 12:29:43 GMT

Perspectoff: /* Prevent unauthorized boots and system access */

= Networking =
Only one network manager and GUI interface can be enabled. Network-Manager is installed by default, but many users prefer [http://wicd.sourceforge.net/ Wicd Network Manager].

== Network Manager ==
[http://en.wikipedia.org/wiki/NetworkManager Network Manager] is the network manager installed by default in (K)Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or wired connection).

== Wicd Network Manager ==
[[File:Prefapp1.png|18 px]] [http://wicd.sourceforge.net/ Wicd Network Manager] is a GTK-dependent networking manager written in Python that can be used in all variants of (K)Ubuntu. Many users (including me) report it to be faster and more stable than Network Manager. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation (replace ''network-manager-kde'' with ''network-manager'' if using Ubuntu instead of Kubuntu).
sudo apt-get remove network-manager-kde
sudo reboot
sudo apt-get install wicd

== Set a static IP address ==
I have never been able to get Network Manager to accept my static IP address settings. If you only use only a wired interface, you do not need a network manager and it can be removed.

*Remove Network Manager (replace ''network-manager-kde'' with ''network-manager'' if using Ubuntu instead of Kubuntu):
sudo apt-get remove network-manager-kde
sudo reboot

*Edit the /etc/network/interfaces file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces

*and replace the line (ok if line is missing)
iface eth0 inet dhcp

*with the following lines (using your own LAN settings, of course):
auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

*Then restart networking:
sudo /etc/init.d/networking restart

*Check to see if your settings are now correct:
ifconfig

*If you need a static IP address and have a wireless connection, Wicd Network Manager works:

:*Uninstall Network Manager and install Wicd instead (replace ''network-manager-kde'' with ''network-manager'' if using Ubuntu instead of Kubuntu):
sudo apt-get remove network-manager-kde
sudo reboot
sudo apt-get install wicd

=== Manual configuration from the command-line ===

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

sudo mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
sudo echo network = { > wpa_supplicant.conf
sudo echo ssid="SSID" >> wpa_supplicant.conf
sudo echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
sudo echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
sudo echo } >> wpa_supplicant.conf
cd /etc/network
sudo gedit interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." :

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file and restart your system.

== Internet connection sharing (DHCP server) ==
In most LANs, an inexpensive router is used to provide [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your [http://en.wikipedia.org/wiki/Local_area_network LAN] if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to [[#Using a nested wireless LAN router|nest LANs]]). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range ''10.0.0.1 - 10.0.0.250'' with netmask ''255.255.255.0'' and gateway ''10.0.0.1''). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet ([http://en.wikipedia.org/wiki/Wide_area_network WAN]) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see [[#Using a nested wireless LAN router|using a nested wireless LAN router]] below.)

(Note: If you want your LAN to use the same subnet as your WAN, see [[#Network Interfaces Bridging|network interface bridging]].)

*Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter

*Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd

*Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server

::Change the line
INTERFACES=""
::to
INTERFACES="eth0"

*Restart the DHCP server:
sudo dhcpd restart

*Right click on Network-Manager -> Edit Connections... -> Wired -> Add
: -> Connection name: ''Shared internet connection''
: -> IPv4 Settings -> Method: Manual -> Add
: -> Address: ''10.0.0.1'' -> Netmask: ''255.255.255.0'' -> Gateway: 0.0.0.0
: -> Available to all users: [x]

*Attach the ethernet cable to (eth0).
:Network-Manager -> Wired Networks -> ''Shared internet connection''

*Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter

:*Tell the firewall which port is your direct Internet Connection:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Internet connected network device: (wlan0)
:-> IP address is assigned by DHCP: [x]

:*Tell the firewall which port is for the LAN, and specify the details for the LAN:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Local network connected device: (eth0)
:-> Enable internet connection sharing: [x]
:-> Enable DHCP for the local network: [x]
:: -> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: ''10.0.0.2''
:: -> Highest IP address to assign: ''10.0.0.250'' -> Name server: <dynamic>

:Note: Use your own desired LAN settings (internal [http://en.wikipedia.org/wiki/Static_IP#Static_and_dynamic_IP_addresses DHCP-assigned dynamic IP] address range), of course. In this example I don't use the full IP range ''10.0.0.2 - 10.0.0.255'' for dynamic IP addresses because I want to reserve some LAN addresses (''10.0.0.251 - 10.0.0.255'') to be used as static IP addresses).

*Notes:
:*If you wish to use this setup all the time, make the "''Shared internet connection''" profile your default connection profile in Network Manager.

=== Using a nested wireless LAN router ===
Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as '''nested LANs'''. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range ''10.0.0.1 - 10.0.0.255'' (with netmask ''255.255.255.0''), as in the above example. The router's nested wireless LAN must then use a different IP range (for example ''192.168.0.1 - 192.168.0.255'' with netmask ''255.255.255.0'').

*Do not use your wireless router's WAN (Internet) port.
*Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
*Configure your wireless router's LAN so that it appears to be a ''single device'' to the main LAN:
:*Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. ''10.0.0.254''), and make sure the subnet mask matches the one you chose for your main LAN (e.g. ''255.255.255.0''). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. ''10.0.0.1'' in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
:*If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of ''192.168.0.1'' (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be ''192.168.0.2'' or greater. (Some routers ask you to specify the entire range (such as ''192.168.0.2 - 192.168.0.255''.)
*Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP ''192.168.0.1'') instead of from the main LAN gateway.
*Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
*Note: The host computer for the main LAN must have a static IP address (e.g. ''10.0.0.1'' as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

=== Network Interfaces Bridging ===
*Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils

*Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:
auto eth0
iface eth0 inet manual
#
auto br0
iface br0 inet dhcp
#
bridge_ports eth0 wlan0
#
# The loopback network interface
auto lo
iface lo inet loopback

*Restart networking with:
sudo /etc/init.d/networking restart

== Using Dynamic IP addresses for a webserver ==
Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment static IP address], then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment dynamic] (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a Dynamic DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few Dynamic DNS services that will do this for you, either for a small fee or even for free. For more info, see [https://help.ubuntu.com/community/DynamicDNS this Ubuntu Community help] article.

For specific tips on setting up Dynamic DNS, see [[Dynamic IP servers|this article]].

== Filesharing ==
=== NFS ===
NFS is the default networking protocol for network file sharing in *nix systems (including (K)Ubuntu Linux). Here are some tips for setting up NFS from the [http://mostlylinux.wordpress.com/network/nfshowto/ Little Girl's Mostly Linux Blog].

=== Samba File Sharing ===
==== Samba client ====
Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu and should work seamlessly (unless you have have a firewall blocking the ports).

==== Samba server ====
[http://www.samba.org/ Samba] provides file/print services for the SMB/CIFS protocol used in Windows-based networks. See the [https://help.ubuntu.com/10.10/serverguide/C/windows-networking.html official Ubuntu documentation] for more information about providing services in a Windows network. A Samba server can be installed using the tasksel option during installation of the Ubuntu [[Ubuntu:Quantal#Servers|server]] from the LiveCD, or at any time using:
sudo tasksel install samba-server

* An alternative method of installation is:
sudo apt-get install samba samba-tools system-config-samba smbfs

:Note: samba-tools, system-config-samba, and smbfs are optional.

*Modify Samba settings.
:*Method 1:

:Menu -> System -> Administration -> Samba
:(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare [[Ubuntu:Quantal#Change your user groups|group]], as well.

:*Method 2:
:Enable File Sharing Server With User Login (Very Reliable Method)

:Do the following on the machine that has the files to be shared:

::*Add current user to Samba:
sudo smbpasswd -a username
::(replacing username with your login username)

::*Open the samba config file:

sudo nano /etc/samba/smb.conf

::*Add the directories to be added (right at the end) in the following format:

[Pictures]
path = /home/username/<folder_to_be_shared>

::(Replace username with your username and <folder_to_be_shared> with the folder you want to share)

::Press CTRL+X and then Y to save.

::*Restart Samba:
sudo service smbd restart
sudo service nmbd restart

:::Note: Prior versions used:
sudo /etc/init.d/samba restart

*On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server which is serving the folder)

*On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported [https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/95452 here]. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy

==== Change your Workgroup ====
To change your Samba (Windows network) workgroup:
sudo nano /etc/samba/smb.conf

Look for the line:
workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

==== Recognizing Win98 machines ====
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no

=== Integrating into Mac OS X Network ===
See [http://www.zaphu.com/2008/04/30/five-guides-on-how-to-integrate-ubuntu-into-a-mac-os-x-network/ this guide] for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

=== FTP Server ===
An FTP server allows the easy transfer of files between systems over the network. Clients such as [[Ubuntu:Quantal#Filezilla|Filezilla]] can be used to interact with an FTP server. Also see these [[FTP_tips|FTP tips]].
==== vsftpd ====
[http://vsftpd.beasts.org/ vsftpd] is an FTP server available in (K)Ubuntu. For configuration information, see the [https://help.ubuntu.com/11.10/serverguide/C/ftp-server.html official Ubuntu documentation]. Install:
sudo apt-get install vsftpd

==== proftpd ====
[http://www.proftpd.org/ Proftpd] is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the [https://help.ubuntu.com/community/ProFTPD Ubuntu Community documentation]. Install:
sudo apt-get install proftpd-basic

=== WebDAV ===
[[File:Prefapp1.png|18 px]] [http://en.wikipedia.org/wiki/WebDAV WebDAV] is a method for allowing remote access to local folders via an HTTP-based web browser or file manager. This can be combined with user authentication (using LDAP or other password mechanism).

* See [[WebDAV|this page]] for instructions.

== Local Area Network ==
== Modems / Dial-up ==
Network Manager does not accept modem connections. See [https://help.ubuntu.com/10.10/internet/C/modem.html Ubuntu help] for information on identifying and connecting with a modem. These instructions require gnome-network-admin (install while connected to a wired ethernet connection):
sudo apt-get install gnome-network-admin

=== Gnome PPP and wvdial ===
[http://en.wikipedia.org/wiki/Gnome-ppp Gnome PPP] is a discontinued GUI frontend for the [http://alumnit.ca/wiki/index.php?page=WvDial wvdial] PPP modem dialer. It is still available as a package. Install:
sudo apt-get install gnome-ppp wvdial

See [http://ubuntuforums.org/showthread.php?t=931872 this forum thread] for tweaks required to make Gnome PPP and wvdial operational in Lucid.

=== GPPP ===
GPPP was the default modem dialing application in previous versions of Ubuntu.

:Menu -> Applications -> Internet -> GPPP Internet Dial-up

= Remote Access =
There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

== SSH ==
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

=== Connect to a remote SSH server ===
==== From the command-line terminal ====
Install the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 OpenSSH] client (if not already installed):
sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C <username>@<computer name or IP address>

:Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz

:or:

ssh -C mike@192.168.1.1

:or
ssh -C 192.168.1.1 -l mike

:Note: -l specifies the login id.

If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022

:or

ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/''user''/.ssh. The key should be accessible only to ''user''
sudo chmod 600 /home/''user''/.ssh/identity

:or

sudo chmod 600 /home/''user''/.ssh/id_rsa

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

==== Port forwarding through SSH ====
* See [[Using_SSH_to_Port_Forward|Using SSH to Port Forward]] for full details.

* In brief, use
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port.
To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
krdc vnc://localhost:<local port>

Note: ''localhost'' is equivalent to (and interchangeable with) ''127.0.0.1''. Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as [[#X11VNC_Server|X11VNC]]) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote '''computer''' (such as 192.168.1.155) instead of the remote '''router''''s IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

''Example'':
For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155. I have set up an [[#X11VNC_Server|X11VNC server]] on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

=== PuTTY ===
[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage [[#OpenSSH Public Key Authentication|OpenSSH]] is generally recommended instead).
sudo apt-get install putty putty-tools

*To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use [http://linux.die.net/man/1/puttygen Puttygen] (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend [[#OpenSSH Public Key Authentication|OpenSSH keygen]] for routine usage instead):
puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
puttygen putty_rsa.ppk -O private-openssh -o id_rsa

*Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/''user''/.ssh) folder
mv id_rsa* ~/.ssh

*[[#OpenSSH Public Key Authentication|Copy the public key]] ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:

ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

*Connect a VNC client (such as Krdc) through SSH using the command-line:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22''
krdc vnc://127.0.0.1:5900

:or as a single command:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22'' sleep 5; krdc vnc://127.0.0.1::5900

*Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

==== Using keys created by Puttygen in OpenSSH ====
The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see [http://unixwiz.net/techtips/putty-openssh.html this tutorial]), the public key looks like:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100302"
AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6k
unPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYD
ZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9
YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvC
bYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykee
RwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
---- END SSH2 PUBLIC KEY ----

* To be used by OpenSSH, the saved public key must be edited.
:* Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
:* Join the remaining lines into a single line.
:* Place ssh-rsa at the beginning.
:* It should end up looking like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==

*Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

=== Connect using SSH Agent ===
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See [http://kimmo.suominen.com/docs/ssh/#ssh-agent this tutorial].

Also see this alternative simple approach: [[#Connect with SSH and start an application with a single command|Connect with SSH and start an application with a single command]].

=== Setup an SSH server ===
[[File:Prefapp1.png|18 px]] Install the [https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html OpenSSH] server:
sudo apt-get install openssh-server

:or
sudo apt-get install tasksel
sudo tasksel install openssh-server

Note: The OpenSSH server can also be installed when doing a [[Ubuntu:Quantal#Servers|server]] installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See [http://pigtail.net/LRP/printsrv/cygwin-sshd.html these instructions].

* Don't forget to forward the port on which your OpenSSH server is listening. The default SSH port is 22; if the default is used, the router should therefore forward port 22 to the computer on the LAN that is hosting the OpenSSH server. The OpenSSH listening port can be changed; in fact, each computer on the LAN can listen on its own unique SSH port, if desired. The router must forward each specified listening port to the correct computer. Therefore, if computer 1 has its OpenSSH server set to listen on port 22221, then the router should forward port 22221 to computer 1's LAN IP address. If computer 2 has its OpenSSH listening port set to 22222, then obviously the router must forward port 22222 to computer 2's LAN IP address. To change the listening port of the OpenSSH server, edit the /etc/ssh/sshd_config file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/ssh/sshd_config

and change the listening port from 22 to your desired listening port:
Port ''22221''

then restart the OpenSSH server:
sudo /etc/init.d/ssh restart

:* For greater port security (and to minimize [http://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]), consider using [[Ubuntu:Quantal#Knockd_.28Port_security.29|Knockd]].

==== Limit authorized SSH users ====
* See [[Limit_the_user_accounts_that_can_connect_through_OpenSSH_remotely|Limit the user accounts that can connect through OpenSSH remotely]]

==== OpenSSH Public Key Authentication ====
See this [http://sial.org/howto/openssh/publickey-auth/ OpenSSH Public Key Authentication Tutorial].

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/''user''/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

:*The private key must only be accessible (and should be read-only) to ''user'', the owner of the file:
chmod 600 /home/''user''/.ssh/id_rsa

::You could also make the entire .ssh folder accessible only to ''user'':

chmod 700 /home/''user''/.ssh

*Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

:*The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.):
cd ~/.ssh
chown ''serveruser'' id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys

*Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config

:*Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys

*Remove the ability to login to the OpenSSH server using password authentication:
sudo nano /etc/ssh/sshd_config

:*Change the line
#PasswordAuthentication yes
:to
PasswordAuthentication no

*Restart the OpenSSH server:
sudo /etc/init.d/ssh restart

*Now you can connect securely with an SSH tunnel without requiring a password, logging in as ''serveruser''.

ssh -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p ''22''

==== Connect with SSH and start an application with a single command ====
* If you have created an [[#OpenSSH Public Key Authentication|OpenSSH key pair]] (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p 22 sleep 5; krdc vnc://127.0.0.1::5900
:*Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

* Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

==== Automate SSH connections that require a password ====
This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the [[#OpenSSH Public Key Authentication|OpenSSH key pair]] methods described above, instead. This method is listed here for reference.

*Terminal interactions (such as the SSH password challenge) can be automated using the [http://linux.die.net/man/1/expect expect] utility. Install:
sudo apt-get install expect

* If, for example, your SSH client ID is ''clientuserID'', yourpassword is ''not#1sostrong'', and the remote SSH server is ''remoteserver.computer.xyz'' (using the default SSH port of ''22''), then use this command to start the SSH tunnel:

expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. ''5900'' and ''5901'' are the ports to be used on either side of the tunnel (port ''5900'' is used for VNC, for example). See [[#Port_forwarding_through_SSH|Port forwarding through SSH]] for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).

== VNC ==
Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as [[#X11VNC_Server|X11VNC]], [[#Vino Remote Desktop VNC server|Vino]], or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as [http://www.uvnc.com/docs/uvnc-viewer.html UltraVNC Viewer].)

=== Vino Remote Desktop VNC server ===
Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

:Menu -> System -> Preferences -> Remote Desktop

*You can accept uninvited connections in the Security section. You can require a password for these connections.
*This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use [[#X11VNC_Server|X11VNC]] instead.

*A user can connect using [[#Vinagre VNC client|Vinagre]], the [[#Terminal Server Client|Terminal Server Client]], or any other VNC client.

==== How to securely use VNC with SSH tunneling ====
It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under [[#Port forwarding through SSH|SSH port forwarding]], the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

=== X11VNC Server ===
[[File:Prefapp1.png|18 px]] While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.
*Install an X11VNC server to share your desktop with other computer:
sudo apt-get install x11vnc

*Run X11VNC without a password:
x11vnc -forever -rfbport 5900

:Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See [http://www.karlrunge.com/x11vnc/x11vnc_opts.html here] for more command line options.

*Create a password to use with X11VNC:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass

*X11VNC can then be started with a password:
x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0

*You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.config/autostart/x11vnc.sh
chmod +x ~/.config/autostart/x11vnc.sh

:*You can test the startup script:
~/.config/autostart/x11vnc.sh

==== Using VNC with SSH ====
See [[#Port forwarding through SSH|Port forwarding through SSH]] for additional information.

=== Vinagre VNC client ===
[http://library.gnome.org/users/vinagre/stable/index.html.en Vinagre] is the default Gnome-based VNC client used in Ubuntu.
*Menu -> Applications -> Internet -> Remote Desktop Viewer

=== Terminal Server Client ===
The Terminal Server Client is an Ubuntu/Gnome frontend for [http://www.rdesktop.org/ rdesktop] (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.
*Menu -> Applications -> Internet -> Terminal Server Client

*To use it with VNC, one of the VNC clients must be installed first. For example, install the [http://www.tightvnc.com/ TightVNC] client:
sudo apt-get install xtightvncviewer

:*Note that the TightVNC client can be used from the command line (or as a menu item) directly:
vncviewer ''192.168.0.12''::''5900''

:where ''192.168.0.12'' is an example ''host'' location that is running a VNC server on port 5900. For more command-line options, use
man vncviewer

=== Krdc VNC client ===
[[File:Prefapp1.png|18 px]] Krdc is the default VNC client in Kubuntu/KDE but can be used in GNOME. It can be used for both VNC and RDP connections. Installing it will also install the Qt platform and many KDE utilities (a large download).
sudo apt-get install krdc

*Run:
:Menu -> Applications -> Internet -> Krdc

*The command-line connection (for use as a menu-item, for example) is:
krdc vnc://<remote IP>

*If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc vnc://<remote IP>:<remote port>

*Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol).
krdc rdp://<remote IP>:<remote port>

==== Using a VNC client with SSH ====
See [http://jeltsch.org/node/209 this howto] for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an [[#Port forwarding through SSH|SSH tunnel with port forwarding]] using Putty or the command line:
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
::then you would start a VNC client such as Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use
krdc vnc://localhost

=== XVNC4Viewer VNC Client ===
XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:
sudo apt-get install xvnc4viewer

=== Automatic user login (for use with VNC) ===
VNC only works if a user is logged in. When a computer (hosting one or more servers) is intended to start up unattended and VNC (with or without SSH tunneling) is to be used, the computer ought to start with the primary user logged in. To accomplish this:
:Menu -> System -> System Settings -> Login Manager -> Convenience -> Enable Auto-Login (''ticked'') -> Lock session (''ticked'')
::-> Pre-select user: Specified: ''Choose primary user'' (i.e. the user hosting the SSH tunnel, if any, and the VNC server)
::-> Automatically log in again after X server crash (''ticked'')

*Also make sure the VNC server is set to Autostart at bootup.

== FreeNX ==
[https://help.ubuntu.com/community/FreeNX FreeNX] is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

=== FreeNX Server ===
The Free server .deb package can be downloaded from [http://www.nomachine.com/select-package.php?os=linux&id=1 No Machine free server downloads].

*Alternatively, [[Ubuntu:Quantal#Add Extra (K)Ubuntu Repositories|add the following repositories]]:
<del>sudo add-apt-repository ppa:freenx-team</del>

*Install the package:
<del>sudo apt-get update</del>
<del>sudo apt-get install freenx</del>

A FreeNX package / repository is not currently available for Quantal.

=== FreeNX Client ===
Download the self-installing .deb file from [http://www.nomachine.com/select-package-client.php No Machine Client downloads].

== XDMCP ==
[http://www.tldp.org/HOWTO/XDMCP-HOWTO/index.html XDMCP] allows a separate remote login by an authorized user. This login is separate from the local user.
*XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:

gedit /etc/gdm/custom.conf

*Find and change (or add) the line from false to true so that it reads:

[Xdmcp]
Enable=true

=== Telnet ===
SSH is, basically, secure Telnet.

== VPN clients ==
A [http://en.wikipedia.org/wiki/Virtual_private_network VPN] (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.
=== VPN through Network Manager ===
*The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get install network-manager-vpnc

*To connect to a VPN network using OpenVPN (SSL), install the plugin:
sudo apt-get install network-manager-openvpn

*To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp

*Configure:
::Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

=== vpnautoconnect (vpn daemon) ===
[http://sourceforge.net/projects/vpnautoconnect/ vpnautoconnect] is a daemon to allow automatic vpn connections through Network Manager. [http://sourceforge.net/projects/vpnautoconnect/files/ Download] and install the .deb package for your OS version.

=== Other VPN clients ===
Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):
:*[http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc vpnc], [http://grml.org/online-docs/grml-vpn.8.html grml-vpn] -- for Cisco-compliant (IPSec) VPN networks
:*[http://www.openswan.org/ openswan] -- for IPSec (OpenSwan) VPN networks
:*[http://pptpclient.sourceforge.net/ pptp-linux] -- for PPTP (MS Windows-compliant) VPN networks
:*[http://openvpn.net/ openvpn], gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

== VPN servers ==
=== OpenVPN ===
[http://openvpn.net/ OpenVPN] is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):
sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:
sudo apt-get install gadmin-openvpn-server

Also see [[OpenVPN_server|these installation tips]].

=== Poptop (PPTP Server) ===
[http://poptop.sourceforge.net/ Poptop] is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:
sudo apt-get install pptpd

=== OpenSwan ===
[http://www.openswan.org/ OpenSwan] is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:
sudo apt-get install openswan linux-patch-openswan

= Security =
Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to [http://www.psychocats.net/ubuntu/security#bestpractices Ubuntu Security Best Practices] is available. Recommended reading includes the book ''[http://www.harpercollins.com/books/9780061962233/Cyber_War/index.aspx Cyber War]'' by [http://en.wikipedia.org/wiki/Richard_A._Clarke Richard Clark] and [http://news.cnet.com/8301-27080_3-20004505-245.html this interview] with Joe Weiss (IT advisor for the energy-sector smart grid). Also read [http://money.cnn.com/2013/04/08/technology/security/shodan/index.html?iid=HP_LN read this CNN Money article].

== Firewall ==
Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify [http://en.wikipedia.org/wiki/Iptables iptables], which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.) Also see the [https://help.ubuntu.com/12.04/serverguide/firewall.html official Ubuntu documentation].

=== Firestarter ===
[[File:Prefapp1.png|18 px]] [http://www.fs-security.com/ Firestarter] is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI.
sudo apt-get install firestarter

==== Firestarter fails to open system log ====
This is a problem in Quantal. See the [[Syslogd_to_rsyslog|solution here]].

=== Guarddog ===
[http://www.simonzone.com/software/guarddog/ Guarddog] is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners.
sudo apt-get install guarddog

=== Uncomplicated Firewall ===
[http://wiki.ubuntu.com/UncomplicatedFirewall Uncomplicated Firewall] is installed in (K)Ubuntu by default, but all ports are open initially. It is configurable through the [[Ubuntu_Quantal_Introduction#General_Notes|command-line interface]]. See [http://ubuntuforums.org/showthread.php?t=823741 this forum thread], [http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html or this usage tutorial], or [https://help.ubuntu.com/community/UFW Ubuntu community help] for tips on how to set up and use it.
If not installed, it can be installed:
apt-get install ufw

==== Gufw ====
[http://gufw.tuxfamily.org/index.html Gufw] is a graphical user interface for Uncomplicated Firewall. Install:
sudo apt-get install gufw

== Anti-virus ==
* If you are running a file server, interface frequently with Windows drives or share files with Windows users, or use virtualization, you will want a virus checker for your Windows files.

* Despite extensive minsinformation, Linux is not immune from malware (witness the explosion of malware being created for the Linux-based Google Android systems). The malware is not usually spread within the OS itself (as long as the OS is a well-respected distribution obtained through official channels), but in trojan programs downloaded and installed by users outside of the normal software distribution channels (i.e. repositories) of the OS. There is always a danger to using programs downloaded from the Internet from sources other than respected repositories -- it is the primary reason that Debian and (K)Ubuntu retain tight control over their software repositories.

* Any file can have malware embedded in it (which is trivial to achieve by concatenation, for example: ''cat originalfile.avi malware.exe > originalfileplusmalware.avi''). The question is whether a user will try to open a file with a program (such as a media player) that has been compromised in a way that allows it to execute the code found in the infected media (e.g. .avi) file. This can occur not only for Windows users but for any OS (including Mac OSX and Linux) with a compromised program (e.g. media player). An example is the extensive problems the Mac OS community is currently having with the Flash player.

* Routine scanning of any file downloaded from the Internet, any file imported from another user's computer (even a trusted source, since their attention to virus prevention may not be as compulsive as yours), or any attachment received in an email (even from a trusted sender) should be done with an anti-virus program.

=== ClamAV ===
[[File:Prefapp1.png|18 px]] [http://www.clamav.net/ ClamAV] is the open source virus tool for Linux. To install ClamAV:
sudo apt-get install clamav

* If an error is returned: "The database directory must be writable for UID 1000 or GID 1000" in order for the virus database to be updated, then change the ownership of the installation directory (/var/lib/clamav):
sudo chown 1000 /var/lib/clamav

==== ClamTk (ClamAV GUI) ====
[http://clamtk.sourceforge.net/ ClamTk] is a GTK-based GUI frontend for ClamAV. Install:
sudo apt-get install clamtk

=== AVG ===
[http://free.avg.com/us-en/download.prd-afl AVG] offers a free virus scanner for Linux in a .deb package. Download and install from the website.
=== Avast ===
[http://www.avast.com/linux-home-edition Avast] offers a Linux edition (for home users only) in a .deb package. Download and install from the website.

== Anti-spam ==
=== Spam Assasin ===
[http://spamassassin.apache.org/ SpamAssasin] is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:
sudo apt-get spamassassin

== Rootkit checkers ==
[http://en.wikipedia.org/wiki/Rootkit Rootkits] are malicious [http://en.wikipedia.org/wiki/Trojan_horse_(computing) trojan]-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a [[Ubuntu:Quantal#Run (K)Ubuntu LiveCD from a USB pendrive|USB pendrive with an Ubuntu LiveCD installation]]. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).
=== Chkrootkit ===
[http://www.chkrootkit.org/ Chkrootkit] checks locally for signs of a rootkit. See the [http://www.chkrootkit.org/README chkrootkit manual] for usage instructions.
:Install:
sudo apt-get install chkrootkit
:Run:
sudo chkrootkit

=== Rootkit Hunter ===
[http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit Hunter] is compatible with (K)Ubuntu systems. See the [http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 usage instructions].
:Install:
sudo apt-get install rkhunter
:Run:
sudo rkhunter

=== Malicious commands to avoid ===
There are many [[Malicious_Linux_Commands|malicious commands]] to be avoided in Linux (as in all operating systems). It is worthwhile to be aware of these dangerous commands so that they are not executed by accident or by malicious advice.

== USB drives ==
USB drives are a major source of security risk and means of data theft.

* An administrator password should be set for the computer BIOS and booting from a USB drive or CD/DVD should be disabled. (Otherwise, any passerby can boot their own OS and then use it to steal data from the hard drive.)

* See [http://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/ this article] for methods of restricting USB usage to authorized users.

== Prevent unauthorized boots and system access ==
Many computers are kept in places where casual passersby may have an opportunity to access the computer, unobserved for short periods. In addition to physical precautions to prevent or slow computer theft (such as locked cases, alarms, and security cables similar to those used to slow bicycle theft), [http://www.pcworld.com/article/114727/lock_down_your_pc.html precautions] should be taken to prevent an unauthorized operating system from being booted using an external device (such as USB drive). Once such as external OS is booted, it can be used to access most hard drive(s) on the computer and the contents copied to a second external device (to be examined or unencrypted later). This is a common means of data theft that is fast and easy to accomplish, and means to deter it should be taken on any public or semi-public computer.

* Set BIOS to restrict bootup to the hard drive only.
:* Set a Supervisor/Administrator password for your computer's BIOS. (I recommend writing it down and taping it to the inside cover of the computer case prior to locking the computer case.) Disable booting from all devices except the hard drive. Setting the hard drive as the first priority boot device is not enough, as most current BIOS menus allow manual selection of any enabled boot devices. Only the hard drive should be left enabled.

* Enable Hard Drive locking, if your computer's BIOS allows it. Most hard drives allow a password to be set by the BIOS and stored in a chip on the hard drive controller which can only be reset by disassembling the hard drive. (Some manufacturers provide a backdoor security key, however.) BIOS versions found on newer computers/laptops allow this password to be set in the BIOS, so that only a BIOS containing the correct password can unlock the hard drive. (If the hard drive is then removed from the computer, it cannot be accessed by any BIOS that does not have the correct password or backdoor security key.) Note, however, that this precaution does not protect against booting from external devices if the BIOS is still set to allow that.
:*There is a risk to this security measure. If you forget the password and the BIOS passwords somehow get reset, the hard drive would become inaccessible. The BIOS and Hard Drive password(s) should always be stored in a safe location.

* Password protect the Grub bootloader. Without password protection, Grub can be used to circumvent BIOS restrictions. See this section for [[Ubuntu_Quantal_System_Administration#Protecting_Grub_Legacy_from_cracking|Grub Legacy]] and this section for [[Ubuntu_Quantal_System_Administration#Protecting_Grub2_from_cracking|Grub2]].

* Make sure all user accounts are protected by a [[Ubuntu_Quantal_Privacy#Passwords_and_file_authentication|password]], and always require passwords for login. Never create an "administrator" user account (hidden or not) and leave it unprotected by a password. Never enable automatic login without a password to any user account.
:*It is possible to enable [[Ubuntu_Quantal_Tips#Automatic_user_login|automatic login]] to a preferred password-protected user account while simultaneously enabling a password-protected screensaver (the password for which must still be entered even before initial user access). This is a reasonable solution that offers protection while still allowing automatic login.

* Make sure a password-protected [[Ubuntu_Quantal_Utilities#Screensavers|screensaver]] is always enabled (that will engage after a reasonably short period of inactivity).

Template:U Precise/Networking

Perspectoff — Sun, 19 May 2013 12:27:16 GMT

Perspectoff: /* Prevent unauthorized boots and system access */

= Networking =
Only one network manager and GUI interface can be enabled. Network-Manager is installed by default, but many users prefer [http://wicd.sourceforge.net/ Wicd Network Manager].

== Network Manager ==
[http://en.wikipedia.org/wiki/NetworkManager Network Manager] is the network manager installed by default in (K)Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or wired connection).

== Wicd Network Manager ==
[[File:Prefapp1.png|18 px]] [http://wicd.sourceforge.net/ Wicd Network Manager] is a GTK-dependent networking manager written in Python that can be used in all variants of (K)Ubuntu. Many users (including me) report it to be faster and more stable than Network Manager. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation (replace ''network-manager-kde'' with ''network-manager'' if using Ubuntu instead of Kubuntu).
sudo apt-get remove network-manager-kde
sudo reboot
sudo apt-get install wicd

== Set a static IP address ==
I have never been able to get Network Manager to accept my static IP address settings. If you only use only a wired interface, you do not need a network manager and it can be removed.

*Remove Network Manager (replace ''network-manager-kde'' with ''network-manager'' if using Ubuntu instead of Kubuntu):
sudo apt-get remove network-manager-kde
sudo reboot

*Edit the /etc/network/interfaces file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces

*and replace the line (ok if line is missing)
iface eth0 inet dhcp

*with the following lines (using your own LAN settings, of course):
auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1

*Then restart networking:
sudo /etc/init.d/networking restart

*Check to see if your settings are now correct:
ifconfig

*If you need a static IP address and have a wireless connection, Wicd Network Manager works:

:*Uninstall Network Manager and install Wicd instead (replace ''network-manager-kde'' with ''network-manager'' if using Ubuntu instead of Kubuntu):
sudo apt-get remove network-manager-kde
sudo reboot
sudo apt-get install wicd

=== Manual configuration from the command-line ===

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

sudo mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
sudo echo network = { > wpa_supplicant.conf
sudo echo ssid="SSID" >> wpa_supplicant.conf
sudo echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
sudo echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
sudo echo } >> wpa_supplicant.conf
cd /etc/network
sudo gedit interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." :

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file and restart your system.

== Internet connection sharing (DHCP server) ==
In most LANs, an inexpensive router is used to provide [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your [http://en.wikipedia.org/wiki/Local_area_network LAN] if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to [[#Using a nested wireless LAN router|nest LANs]]). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range ''10.0.0.1 - 10.0.0.250'' with netmask ''255.255.255.0'' and gateway ''10.0.0.1''). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet ([http://en.wikipedia.org/wiki/Wide_area_network WAN]) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see [[#Using a nested wireless LAN router|using a nested wireless LAN router]] below.)

(Note: If you want your LAN to use the same subnet as your WAN, see [[#Network Interfaces Bridging|network interface bridging]].)

*Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter

*Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd

*Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server

::Change the line
INTERFACES=""
::to
INTERFACES="eth0"

*Restart the DHCP server:
sudo dhcpd restart

*Right click on Network-Manager -> Edit Connections... -> Wired -> Add
: -> Connection name: ''Shared internet connection''
: -> IPv4 Settings -> Method: Manual -> Add
: -> Address: ''10.0.0.1'' -> Netmask: ''255.255.255.0'' -> Gateway: 0.0.0.0
: -> Available to all users: [x]

*Attach the ethernet cable to (eth0).
:Network-Manager -> Wired Networks -> ''Shared internet connection''

*Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter

:*Tell the firewall which port is your direct Internet Connection:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Internet connected network device: (wlan0)
:-> IP address is assigned by DHCP: [x]

:*Tell the firewall which port is for the LAN, and specify the details for the LAN:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Local network connected device: (eth0)
:-> Enable internet connection sharing: [x]
:-> Enable DHCP for the local network: [x]
:: -> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: ''10.0.0.2''
:: -> Highest IP address to assign: ''10.0.0.250'' -> Name server: <dynamic>

:Note: Use your own desired LAN settings (internal [http://en.wikipedia.org/wiki/Static_IP#Static_and_dynamic_IP_addresses DHCP-assigned dynamic IP] address range), of course. In this example I don't use the full IP range ''10.0.0.2 - 10.0.0.255'' for dynamic IP addresses because I want to reserve some LAN addresses (''10.0.0.251 - 10.0.0.255'') to be used as static IP addresses).

*Notes:
:*If you wish to use this setup all the time, make the "''Shared internet connection''" profile your default connection profile in Network Manager.

=== Using a nested wireless LAN router ===
Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as '''nested LANs'''. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range ''10.0.0.1 - 10.0.0.255'' (with netmask ''255.255.255.0''), as in the above example. The router's nested wireless LAN must then use a different IP range (for example ''192.168.0.1 - 192.168.0.255'' with netmask ''255.255.255.0'').

*Do not use your wireless router's WAN (Internet) port.
*Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
*Configure your wireless router's LAN so that it appears to be a ''single device'' to the main LAN:
:*Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. ''10.0.0.254''), and make sure the subnet mask matches the one you chose for your main LAN (e.g. ''255.255.255.0''). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. ''10.0.0.1'' in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
:*If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of ''192.168.0.1'' (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be ''192.168.0.2'' or greater. (Some routers ask you to specify the entire range (such as ''192.168.0.2 - 192.168.0.255''.)
*Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP ''192.168.0.1'') instead of from the main LAN gateway.
*Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
*Note: The host computer for the main LAN must have a static IP address (e.g. ''10.0.0.1'' as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

=== Network Interfaces Bridging ===
*Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils

*Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:
auto eth0
iface eth0 inet manual
#
auto br0
iface br0 inet dhcp
#
bridge_ports eth0 wlan0
#
# The loopback network interface
auto lo
iface lo inet loopback

*Restart networking with:
sudo /etc/init.d/networking restart

== Using Dynamic IP addresses for a webserver ==
Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment static IP address], then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment dynamic] (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a Dynamic DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few Dynamic DNS services that will do this for you, either for a small fee or even for free. For more info, see [https://help.ubuntu.com/community/DynamicDNS this Ubuntu Community help] article.

For specific tips on setting up Dynamic DNS, see [[Dynamic IP servers|this article]].

== Filesharing ==
=== NFS ===
NFS is the default networking protocol for network file sharing in *nix systems (including (K)Ubuntu Linux). Here are some tips for setting up NFS from the [http://mostlylinux.wordpress.com/network/nfshowto/ Little Girl's Mostly Linux Blog].

=== Samba File Sharing ===
==== Samba client ====
Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu and should work seamlessly (unless you have have a firewall blocking the ports).

==== Samba server ====
[http://www.samba.org/ Samba] provides file/print services for the SMB/CIFS protocol used in Windows-based networks. See the [https://help.ubuntu.com/10.10/serverguide/C/windows-networking.html official Ubuntu documentation] for more information about providing services in a Windows network. A Samba server can be installed using the tasksel option during installation of the Ubuntu [[Ubuntu:Precise#Servers|server]] from the LiveCD, or at any time using:
sudo tasksel install samba-server

* An alternative method of installation is:
sudo apt-get install samba samba-tools system-config-samba smbfs

:Note: samba-tools, system-config-samba, and smbfs are optional.

*Modify Samba settings.
:*Method 1:

:Menu -> System -> Administration -> Samba
:(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare [[Ubuntu:Precise#Change your user groups|group]], as well.

:*Method 2:
:Enable File Sharing Server With User Login (Very Reliable Method)

:Do the following on the machine that has the files to be shared:

::*Add current user to Samba:
sudo smbpasswd -a username
::(replacing username with your login username)

::*Open the samba config file:

sudo nano /etc/samba/smb.conf

::*Add the directories to be added (right at the end) in the following format:

[Pictures]
path = /home/username/<folder_to_be_shared>

::(Replace username with your username and <folder_to_be_shared> with the folder you want to share)

::Press CTRL+X and then Y to save.

::*Restart Samba:
sudo service smbd restart
sudo service nmbd restart

:::Note: Prior versions used:
sudo /etc/init.d/samba restart

*On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server which is serving the folder)

*On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported [https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/95452 here]. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy

==== Change your Workgroup ====
To change your Samba (Windows network) workgroup:
sudo nano /etc/samba/smb.conf

Look for the line:
workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

==== Recognizing Win98 machines ====
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no

=== Integrating into Mac OS X Network ===
See [http://www.zaphu.com/2008/04/30/five-guides-on-how-to-integrate-ubuntu-into-a-mac-os-x-network/ this guide] for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

=== FTP Server ===
An FTP server allows the easy transfer of files between systems over the network. Clients such as [[Ubuntu:Precise#Filezilla|Filezilla]] can be used to interact with an FTP server. Also see these [[FTP_tips|FTP tips]].
==== vsftpd ====
[http://vsftpd.beasts.org/ vsftpd] is an FTP server available in (K)Ubuntu. For configuration information, see the [https://help.ubuntu.com/11.10/serverguide/C/ftp-server.html official Ubuntu documentation]. Install:
sudo apt-get install vsftpd

==== proftpd ====
[http://www.proftpd.org/ Proftpd] is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the [https://help.ubuntu.com/community/ProFTPD Ubuntu Community documentation]. Install:
sudo apt-get install proftpd-basic

=== WebDAV ===
[[File:Prefapp1.png|18 px]] [http://en.wikipedia.org/wiki/WebDAV WebDAV] is a method for allowing remote access to local folders via an HTTP-based web browser or file manager. This can be combined with user authentication (using LDAP or other password mechanism).

* See [[WebDAV|this page]] for instructions.

== Local Area Network ==
== Modems / Dial-up ==
Network Manager does not accept modem connections. See [https://help.ubuntu.com/10.10/internet/C/modem.html Ubuntu help] for information on identifying and connecting with a modem. These instructions require gnome-network-admin (install while connected to a wired ethernet connection):
sudo apt-get install gnome-network-admin

=== Gnome PPP and wvdial ===
[http://en.wikipedia.org/wiki/Gnome-ppp Gnome PPP] is a discontinued GUI frontend for the [http://alumnit.ca/wiki/index.php?page=WvDial wvdial] PPP modem dialer. It is still available as a package. Install:
sudo apt-get install gnome-ppp wvdial

See [http://ubuntuforums.org/showthread.php?t=931872 this forum thread] for tweaks required to make Gnome PPP and wvdial operational in Lucid.

=== GPPP ===
GPPP was the default modem dialing application in previous versions of Ubuntu.

:Menu -> Applications -> Internet -> GPPP Internet Dial-up

= Remote Access =
There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

== SSH ==
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

=== Connect to a remote SSH server ===
==== From the command-line terminal ====
Install the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 OpenSSH] client (if not already installed):
sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C <username>@<computer name or IP address>

:Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz

:or:

ssh -C mike@192.168.1.1

:or
ssh -C 192.168.1.1 -l mike

:Note: -l specifies the login id.

If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022

:or

ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/''user''/.ssh. The key should be accessible only to ''user''
sudo chmod 600 /home/''user''/.ssh/identity

:or

sudo chmod 600 /home/''user''/.ssh/id_rsa

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

==== Port forwarding through SSH ====
* See [[Using_SSH_to_Port_Forward|Using SSH to Port Forward]] for full details.

* In brief, use
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port.
To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
krdc vnc://localhost:<local port>

Note: ''localhost'' is equivalent to (and interchangeable with) ''127.0.0.1''. Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as [[#X11VNC_Server|X11VNC]]) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote '''computer''' (such as 192.168.1.155) instead of the remote '''router''''s IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

''Example'':
For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155. I have set up an [[#X11VNC_Server|X11VNC server]] on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

=== PuTTY ===
[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage [[#OpenSSH Public Key Authentication|OpenSSH]] is generally recommended instead).
sudo apt-get install putty putty-tools

*To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use [http://linux.die.net/man/1/puttygen Puttygen] (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend [[#OpenSSH Public Key Authentication|OpenSSH keygen]] for routine usage instead):
puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
puttygen putty_rsa.ppk -O private-openssh -o id_rsa

*Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/''user''/.ssh) folder
mv id_rsa* ~/.ssh

*[[#OpenSSH Public Key Authentication|Copy the public key]] ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:

ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

*Connect a VNC client (such as Krdc) through SSH using the command-line:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22''
krdc vnc://127.0.0.1:5900

:or as a single command:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22'' sleep 5; krdc vnc://127.0.0.1::5900

*Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

==== Using keys created by Puttygen in OpenSSH ====
The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see [http://unixwiz.net/techtips/putty-openssh.html this tutorial]), the public key looks like:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100302"
AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6k
unPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYD
ZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9
YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvC
bYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykee
RwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
---- END SSH2 PUBLIC KEY ----

* To be used by OpenSSH, the saved public key must be edited.
:* Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
:* Join the remaining lines into a single line.
:* Place ssh-rsa at the beginning.
:* It should end up looking like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==

*Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

=== Connect using SSH Agent ===
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See [http://kimmo.suominen.com/docs/ssh/#ssh-agent this tutorial].

Also see this alternative simple approach: [[#Connect with SSH and start an application with a single command|Connect with SSH and start an application with a single command]].

=== Setup an SSH server ===
[[File:Prefapp1.png|18 px]] Install the [https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html OpenSSH] server:
sudo apt-get install openssh-server

:or
sudo apt-get install tasksel
sudo tasksel install openssh-server

Note: The OpenSSH server can also be installed when doing a [[Ubuntu:Precise#Servers|server]] installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See [http://pigtail.net/LRP/printsrv/cygwin-sshd.html these instructions].

* Don't forget to forward the port on which your OpenSSH server is listening. The default SSH port is 22; if the default is used, the router should therefore forward port 22 to the computer on the LAN that is hosting the OpenSSH server. The OpenSSH listening port can be changed; in fact, each computer on the LAN can listen on its own unique SSH port, if desired. The router must forward each specified listening port to the correct computer. Therefore, if computer 1 has its OpenSSH server set to listen on port 22221, then the router should forward port 22221 to computer 1's LAN IP address. If computer 2 has its OpenSSH listening port set to 22222, then obviously the router must forward port 22222 to computer 2's LAN IP address. To change the listening port of the OpenSSH server, edit the /etc/ssh/sshd_config file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/ssh/sshd_config

and change the listening port from 22 to your desired listening port:
Port ''22221''

then restart the OpenSSH server:
sudo /etc/init.d/ssh restart

:* For greater port security (and to minimize [http://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]), consider using [[Ubuntu:Precise#Knockd_.28Port_security.29|Knockd]].

==== Limit authorized SSH users ====
* See [[Limit_the_user_accounts_that_can_connect_through_OpenSSH_remotely|Limit the user accounts that can connect through OpenSSH remotely]]

==== OpenSSH Public Key Authentication ====
See this [http://sial.org/howto/openssh/publickey-auth/ OpenSSH Public Key Authentication Tutorial].

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/''user''/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

:*The private key must only be accessible (and should be read-only) to ''user'', the owner of the file:
chmod 600 /home/''user''/.ssh/id_rsa

::You could also make the entire .ssh folder accessible only to ''user'':

chmod 700 /home/''user''/.ssh

*Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

:*The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.):
cd ~/.ssh
chown ''serveruser'' id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys

*Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config

:*Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys

*Remove the ability to login to the OpenSSH server using password authentication:
sudo nano /etc/ssh/sshd_config

:*Change the line
#PasswordAuthentication yes
:to
PasswordAuthentication no

*Restart the OpenSSH server:
sudo /etc/init.d/ssh restart

*Now you can connect securely with an SSH tunnel without requiring a password, logging in as ''serveruser''.

ssh -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p ''22''

==== Connect with SSH and start an application with a single command ====
* If you have created an [[#OpenSSH Public Key Authentication|OpenSSH key pair]] (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p 22 sleep 5; krdc vnc://127.0.0.1::5900
:*Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

* Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

==== Automate SSH connections that require a password ====
This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the [[#OpenSSH Public Key Authentication|OpenSSH key pair]] methods described above, instead. This method is listed here for reference.

*Terminal interactions (such as the SSH password challenge) can be automated using the [http://linux.die.net/man/1/expect expect] utility. Install:
sudo apt-get install expect

* If, for example, your SSH client ID is ''clientuserID'', yourpassword is ''not#1sostrong'', and the remote SSH server is ''remoteserver.computer.xyz'' (using the default SSH port of ''22''), then use this command to start the SSH tunnel:

expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. ''5900'' and ''5901'' are the ports to be used on either side of the tunnel (port ''5900'' is used for VNC, for example). See [[#Port_forwarding_through_SSH|Port forwarding through SSH]] for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).

== VNC ==
Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as [[#X11VNC_Server|X11VNC]], [[#Vino Remote Desktop VNC server|Vino]], or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as [http://www.uvnc.com/docs/uvnc-viewer.html UltraVNC Viewer].)

=== Vino Remote Desktop VNC server ===
Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

:Menu -> System -> Preferences -> Remote Desktop

*You can accept uninvited connections in the Security section. You can require a password for these connections.
*This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use [[#X11VNC_Server|X11VNC]] instead.

*A user can connect using [[#Vinagre VNC client|Vinagre]], the [[#Terminal Server Client|Terminal Server Client]], or any other VNC client.

==== How to securely use VNC with SSH tunneling ====
It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under [[#Port forwarding through SSH|SSH port forwarding]], the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

=== X11VNC Server ===
[[File:Prefapp1.png|18 px]] While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.
*Install an X11VNC server to share your desktop with other computer:
sudo apt-get install x11vnc

*Run X11VNC without a password:
x11vnc -forever -rfbport 5900

:Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See [http://www.karlrunge.com/x11vnc/x11vnc_opts.html here] for more command line options.

*Create a password to use with X11VNC:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass

*X11VNC can then be started with a password:
x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0

*You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.config/autostart/x11vnc.sh
chmod +x ~/.config/autostart/x11vnc.sh

:*You can test the startup script:
~/.config/autostart/x11vnc.sh

==== Using VNC with SSH ====
See [[#Port forwarding through SSH|Port forwarding through SSH]] for additional information.

=== Vinagre VNC client ===
[http://library.gnome.org/users/vinagre/stable/index.html.en Vinagre] is the default Gnome-based VNC client used in Ubuntu.
*Menu -> Applications -> Internet -> Remote Desktop Viewer

=== Terminal Server Client ===
The Terminal Server Client is an Ubuntu/Gnome frontend for [http://www.rdesktop.org/ rdesktop] (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.
*Menu -> Applications -> Internet -> Terminal Server Client

*To use it with VNC, one of the VNC clients must be installed first. For example, install the [http://www.tightvnc.com/ TightVNC] client:
sudo apt-get install xtightvncviewer

:*Note that the TightVNC client can be used from the command line (or as a menu item) directly:
vncviewer ''192.168.0.12''::''5900''

:where ''192.168.0.12'' is an example ''host'' location that is running a VNC server on port 5900. For more command-line options, use
man vncviewer

=== Krdc VNC client ===
[[File:Prefapp1.png|18 px]] Krdc is the default VNC client in Kubuntu/KDE but can be used in GNOME. It can be used for both VNC and RDP connections. Installing it will also install the Qt platform and many KDE utilities (a large download).
sudo apt-get install krdc

*Run:
:Menu -> Applications -> Internet -> Krdc

*The command-line connection (for use as a menu-item, for example) is:
krdc vnc://<remote IP>

*If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc vnc://<remote IP>:<remote port>

*Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol).
krdc rdp://<remote IP>:<remote port>

==== Using a VNC client with SSH ====
See [http://jeltsch.org/node/209 this howto] for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an [[#Port forwarding through SSH|SSH tunnel with port forwarding]] using Putty or the command line:
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
::then you would start a VNC client such as Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use
krdc vnc://localhost

=== XVNC4Viewer VNC Client ===
XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:
sudo apt-get install xvnc4viewer

=== Automatic user login (for use with VNC) ===
VNC only works if a user is logged in. When a computer (hosting one or more servers) is intended to start up unattended and VNC (with or without SSH tunneling) is to be used, the computer ought to start with the primary user logged in. To accomplish this:
:Menu -> System -> System Settings -> Login Manager -> Convenience -> Enable Auto-Login (''ticked'') -> Lock session (''ticked'')
::-> Pre-select user: Specified: ''Choose primary user'' (i.e. the user hosting the SSH tunnel, if any, and the VNC server)
::-> Automatically log in again after X server crash (''ticked'')

*Also make sure the VNC server is set to Autostart at bootup.

== FreeNX ==
[https://help.ubuntu.com/community/FreeNX FreeNX] is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

=== FreeNX Server ===
The Free server .deb package can be downloaded from [http://www.nomachine.com/select-package.php?os=linux&id=1 No Machine free server downloads].

*Alternatively, [[Ubuntu:Precise#Add Extra (K)Ubuntu Repositories|add the following repositories]]:
sudo add-apt-repository ppa:freenx-team

*Install the package:
sudo apt-get update
sudo apt-get install freenx

=== FreeNX Client ===
Download the self-installing .deb file from [http://www.nomachine.com/select-package-client.php No Machine Client downloads].

== XDMCP ==
[http://www.tldp.org/HOWTO/XDMCP-HOWTO/index.html XDMCP] allows a separate remote login by an authorized user. This login is separate from the local user.
*XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:

gedit /etc/gdm/custom.conf

*Find and change (or add) the line from false to true so that it reads:

[Xdmcp]
Enable=true

=== Telnet ===
SSH is, basically, secure Telnet.

== VPN clients ==
A [http://en.wikipedia.org/wiki/Virtual_private_network VPN] (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.
=== VPN through Network Manager ===
*The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get install network-manager-vpnc

*To connect to a VPN network using OpenVPN (SSL), install the plugin:
sudo apt-get install network-manager-openvpn

*To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp

*Configure:
::Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

=== vpnautoconnect (vpn daemon) ===
[http://sourceforge.net/projects/vpnautoconnect/ vpnautoconnect] is a daemon to allow automatic vpn connections through Network Manager. [http://sourceforge.net/projects/vpnautoconnect/files/ Download] and install the .deb package for your OS version.

=== Other VPN clients ===
Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):
:*[http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc vpnc], [http://grml.org/online-docs/grml-vpn.8.html grml-vpn] -- for Cisco-compliant (IPSec) VPN networks
:*[http://www.openswan.org/ openswan] -- for IPSec (OpenSwan) VPN networks
:*[http://pptpclient.sourceforge.net/ pptp-linux] -- for PPTP (MS Windows-compliant) VPN networks
:*[http://openvpn.net/ openvpn], gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

== VPN servers ==
=== OpenVPN ===
[http://openvpn.net/ OpenVPN] is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):
sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:
sudo apt-get install gadmin-openvpn-server

Also see [[OpenVPN_server|these installation tips]].

=== Poptop (PPTP Server) ===
[http://poptop.sourceforge.net/ Poptop] is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:
sudo apt-get install pptpd

=== OpenSwan ===
[http://www.openswan.org/ OpenSwan] is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:
sudo apt-get install openswan linux-patch-openswan

= Security =
Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to [http://www.psychocats.net/ubuntu/security#bestpractices Ubuntu Security Best Practices] is available. Recommended reading includes the book ''[http://www.harpercollins.com/books/9780061962233/Cyber_War/index.aspx Cyber War]'' by [http://en.wikipedia.org/wiki/Richard_A._Clarke Richard Clark] and [http://news.cnet.com/8301-27080_3-20004505-245.html this interview] with Joe Weiss (IT advisor for the energy-sector smart grid). Also read [http://money.cnn.com/2013/04/08/technology/security/shodan/index.html?iid=HP_LN read this CNN Money article].

== Firewall ==
Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify [http://en.wikipedia.org/wiki/Iptables iptables], which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.) Also see the [https://help.ubuntu.com/12.04/serverguide/firewall.html official Ubuntu documentation].

=== Firestarter ===
[[File:Prefapp1.png|18 px]] [http://www.fs-security.com/ Firestarter] is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI.
sudo apt-get install firestarter

==== Firestarter fails to open system log ====
This is a problem in Precise. See the [[Syslogd_to_rsyslog|solution here]].

=== Guarddog ===
[http://www.simonzone.com/software/guarddog/ Guarddog] is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners.
sudo apt-get install guarddog

=== Uncomplicated Firewall ===
[http://wiki.ubuntu.com/UncomplicatedFirewall Uncomplicated Firewall] is installed in (K)Ubuntu by default, but all ports are open initially. It is configurable through the [[Ubuntu_Precise_Introduction#General_Notes|command-line interface]]. See [http://ubuntuforums.org/showthread.php?t=823741 this forum thread], [http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html or this usage tutorial], or [https://help.ubuntu.com/community/UFW Ubuntu community help] for tips on how to set up and use it.
If not installed, it can be installed:
apt-get install ufw

==== Gufw ====
[http://gufw.tuxfamily.org/index.html Gufw] is a graphical user interface for Uncomplicated Firewall. Install:
sudo apt-get install gufw

== Anti-virus ==
* If you are running a file server, interface frequently with Windows drives or share files with Windows users, or use virtualization, you will want a virus checker for your Windows files.

* Despite extensive minsinformation, Linux is not immune from malware (witness the explosion of malware being created for the Linux-based Google Android systems). The malware is not usually spread within the OS itself (as long as the OS is a well-respected distribution obtained through official channels), but in trojan programs downloaded and installed by users outside of the normal software distribution channels (i.e. repositories) of the OS. There is always a danger to using programs downloaded from the Internet from sources other than respected repositories -- it is the primary reason that Debian and (K)Ubuntu retain tight control over their software repositories.

* Any file can have malware embedded in it (which is trivial to achieve by concatenation, for example: ''cat originalfile.avi malware.exe > originalfileplusmalware.avi''). The question is whether a user will try to open a file with a program (such as a media player) that has been compromised in a way that allows it to execute the code found in the infected media (e.g. .avi) file. This can occur not only for Windows users but for any OS (including Mac OSX and Linux) with a compromised program (e.g. media player). An example is the extensive problems the Mac OS community is currently having with the Flash player.

* Routine scanning of any file downloaded from the Internet, any file imported from another user's computer (even a trusted source, since their attention to virus prevention may not be as compulsive as yours), or any attachment received in an email (even from a trusted sender) should be done with an anti-virus program.

=== ClamAV ===
[[File:Prefapp1.png|18 px]] [http://www.clamav.net/ ClamAV] is the open source virus tool for Linux. To install ClamAV:
sudo apt-get install clamav

* If an error is returned: "The database directory must be writable for UID 1000 or GID 1000" in order for the virus database to be updated, then change the ownership of the installation directory (/var/lib/clamav):
sudo chown 1000 /var/lib/clamav

==== ClamTk (ClamAV GUI) ====
[http://clamtk.sourceforge.net/ ClamTk] is a GTK-based GUI frontend for ClamAV. Install:
sudo apt-get install clamtk

=== AVG ===
[http://free.avg.com/us-en/download.prd-afl AVG] offers a free virus scanner for Linux in a .deb package. Download and install from the website.
=== Avast ===
[http://www.avast.com/linux-home-edition Avast] offers a Linux edition (for home users only) in a .deb package. Download and install from the website.

== Anti-spam ==
=== Spam Assasin ===
[http://spamassassin.apache.org/ SpamAssasin] is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:
sudo apt-get spamassassin

== Rootkit checkers ==
[http://en.wikipedia.org/wiki/Rootkit Rootkits] are malicious [http://en.wikipedia.org/wiki/Trojan_horse_(computing) trojan]-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a [[Ubuntu:Precise#Run (K)Ubuntu LiveCD from a USB pendrive|USB pendrive with an Ubuntu LiveCD installation]]. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).
=== Chkrootkit ===
[http://www.chkrootkit.org/ Chkrootkit] checks locally for signs of a rootkit. See the [http://www.chkrootkit.org/README chkrootkit manual] for usage instructions.
:Install:
sudo apt-get install chkrootkit
:Run:
sudo chkrootkit

=== Rootkit Hunter ===
[http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit Hunter] is compatible with (K)Ubuntu systems. See the [http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 usage instructions].
:Install:
sudo apt-get install rkhunter
:Run:
sudo rkhunter

=== Malicious commands to avoid ===
There are many [[Malicious_Linux_Commands|malicious commands]] to be avoided in Linux (as in all operating systems). It is worthwhile to be aware of these dangerous commands so that they are not executed by accident or by malicious advice.

== USB drives ==
USB drives are a major source of security risk and means of data theft.

* An administrator password should be set for the computer BIOS and booting from a USB drive or CD/DVD should be disabled. (Otherwise, any passerby can boot their own OS and then use it to steal data from the hard drive.)

* See [http://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/ this article] for methods of restricting USB usage to authorized users.

== Prevent unauthorized boots and system access ==
Many computers are kept in places where casual passersby may have an opportunity to access the computer, unobserved for short periods. In addition to physical precautions to prevent or slow computer theft (such as locked cases, alarms, and security cables similar to those used to slow bicycle theft), [http://www.pcworld.com/article/114727/lock_down_your_pc.html precautions] should be taken to prevent an unauthorized operating system from being booted using an external device (such as USB drive). Once such as external OS is booted, it can be used to access most hard drive(s) on the computer and the contents copied to a second external device (to be examined or unencrypted later). This is a common means of data theft that is fast and easy to accomplish, and means to deter it should be taken on any public or semi-public computer.

* Set BIOS to restrict bootup to the hard drive only.
:* Set a Supervisor/Administrator password for your computer's BIOS. (I recommend writing it down and taping it to the inside cover of the computer case prior to locking the computer case.) Disable booting from all devices except the hard drive. Setting the hard drive as the first priority boot device is not enough, as most current BIOS menus allow manual selection of any enabled boot devices. Only the hard drive should be left enabled.

* Enable Hard Drive locking, if your computer's BIOS allows it. Most hard drives allow a password to be set by the BIOS and stored in a chip on the hard drive controller which can only be reset by disassembling the hard drive. (Some manufacturers provide a backdoor security key, however.) BIOS versions found on newer computers/laptops allow this password to be set in the BIOS, so that only a BIOS containing the correct password can unlock the hard drive. (If the hard drive is then removed from the computer, it cannot be accessed by any BIOS that does not have the correct password or backdoor security key.) Note, however, that this precaution does not protect against booting from external devices if the BIOS is still set to allow that.
:*There is a risk to this security measure. If you forget the password and the BIOS passwords somehow get reset, the hard drive would become inaccessible. The BIOS and Hard Drive password(s) should always be stored in a safe location.

* Password protect the Grub bootloader. Without password protection, Grub can be used to circumvent BIOS restrictions. See this section for [[Ubuntu_Precise_System_Administration#Protecting_Grub_Legacy_from_cracking|Grub Legacy]] and this section for [[Ubuntu_Precise_System_Administration#Protecting_Grub2_from_cracking|Grub2]].

* Make sure all user accounts are protected by a [[Ubuntu_Precise_Privacy#Passwords_and_file_authentication|password]], and always require passwords for login. Never create an "administrator" user account (hidden or not) and leave it unprotected by a password. Never enable automatic login without a password to any user account.
:*It is possible to enable [[Ubuntu_Precise_Tips#Automatic_user_login|automatic login]] to a preferred password-protected user account while simultaneously enabling a password-protected screensaver (the password for which must still be entered even before initial user access). This is a reasonable solution that offers protection while still allowing automatic login.

* Make sure a password-protected [[Ubuntu_Precise_Utilities#Screensavers|screensaver]] is always enabled (that will engage after a reasonably short period of inactivity).

Template:K Precise/Networking

Perspectoff — Sun, 19 May 2013 12:23:08 GMT

Perspectoff: /* Prevent unauthorized boots and system access */

= Networking =
Only one network manager and GUI interface can be enabled. Network-Manager is installed by default and works for both wired and wireless connections, and for both static and dynamic (DHCP-assigned) IP addresses. In the past, some users have preferred the [http://wicd.sourceforge.net/ Wicd] network manager, however, and it can be installed instead.

== Network Manager ==
[http://en.wikipedia.org/wiki/NetworkManager Network Manager] is the network manager installed by default in (K)Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or a wired connection).

* After installation on my system with a wired ethernet connection and manual settings for /etc/network/interfaces, Network Manager was disabled by default ("unmanaged") at installation. To activate Network Manager and allow it to manage networking settings, I edited a file (following the advice in [http://ubuntuforums.org/showthread.php?t=1451064 this thread]):
kdesudo kate /etc/NetworkManager/NetworkManager.conf

and changed the following section so that it read ''true'' instead of ''false'':
[ifupdown]
managed=true

Also, I double checked the /var/lib/NetworkManager/NetworkManager.state file to make sure that Networking was enabled:
[main]
NetworkingEnabled=true

I then restarted Network Manager:
sudo /etc/init.d/network-manager restart

* When using Network Manager to manage the settings, the default setting is to obtain an IP address from the DHCP server on the network. However, I customised the Wired Connection to accept my static IP address as a "manual" (IPv4) IP address and set my custom DNS servers (I don't use the DNS servers of my ISP for security reasons) and a random MAC address (which I change periodically to limit tracking).

* Precise is the first version of Kubuntu in which Network Manager reliably worked for me on both wired and wireless connections. When installing on a laptop with a wireless connection, it worked (in DHCP mode) without any additional configuration. Settings could then be set through the Network Manager plasma widget on the panel bar, including the ability to manually configure a static IP address for the wireless connection, as well.

== Wicd Network Manager ==
[[File:Prefapp1.png|18 px]] [http://wicd.sourceforge.net/ Wicd Network Manager] is a GTK-dependent networking manager written in Python that can be used in all variants of (K)Ubuntu. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation.
sudo apt-get remove network-manager network-manager-pptp plasma-widget-networkmanagement network-manager-kde
sudo reboot
sudo apt-get install wicd

Note: You must have a wired connection in order to install Wicd. Either install it prior to removing Network Manager or be sure the /etc/network/interfaces configuration file is properly configured manually so the default network interface allows you to access the Internet through a wired connection:
kdesudo kate /etc/network/interfaces

and remove the ''#NetworkManager#'' comments, if present and makes sure the file contents resemble:

# The loopback network interface
auto lo
iface lo inet loopback
#
# The primary network interface
auto eth0
iface eth0 inet dhcp

Then restart networking:
sudo /etc/init.d/networking restart

This restores the default networking, and then Wicd can be installed. Once Wicd is installed, the connection settings can be changed through Wicd.

== Set a static IP address ==
* Precise is the first version of Kubuntu in which I have been able to get Network Manager to accept my static IP address settings (for both wired and wireless connections).
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> IPv4 address -> Method: Manual -> IP Address: ''192.168.0.111'' -> Subnet Mask: ''255.255.255.0'' -> Gateway: ''192.168.0.1'' -> OK

:I also add the DNS servers I like to use (I don't use the DNS servers of my ISP for [[Kubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|security]] reasons).

* If you only use only a wired interface, you do not need a network manager and it can be removed if desired. Doing so requires configuring the networking settings manually.

:* In Precise, Network Manager does not need to be removed if manual settings are used in /etc/network/interfaces. To allow the settings to take effect (and the network connection to be "unmanaged" by Network Manager), edit /etc/NetworkManager/NetworkManager.conf:

sudo kate /etc/NetworkManager/NetworkManager.conf

and change the following section so that it reads ''false'':
[ifupdown]
managed=''false''

Then restart Network Manager:
sudo /etc/init.d/network-manager restart

:* Edit the /etc/network/interfaces file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces

:* and replace the line (ok if line is missing)
iface eth0 inet dhcp

:* with the following lines (using your own LAN settings and desired DNS-nameservers, of course):
auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

:* Then restart networking:
sudo /etc/init.d/networking restart

:* Check to see if your settings are now correct:
ifconfig

* The [[#Wicd_Network_Manager|Wicd]] network manager also allows a wireless connection to have a static IP.

=== Manual configuration from the command-line ===

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

sudo mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
sudo echo network = { > wpa_supplicant.conf
sudo echo ssid="SSID" >> wpa_supplicant.conf
sudo echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
sudo echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
sudo echo } >> wpa_supplicant.conf
cd /etc/network
sudo gedit interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." :

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file and restart your system.

== Internet connection sharing (DHCP server) ==
In most LANs, an inexpensive router is used to provide [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your [http://en.wikipedia.org/wiki/Local_area_network LAN] if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to [[#Using a nested wireless LAN router|nest LANs]]). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range ''10.0.0.1 - 10.0.0.250'' with netmask ''255.255.255.0'' and gateway ''10.0.0.1''). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet ([http://en.wikipedia.org/wiki/Wide_area_network WAN]) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see [[#Using a nested wireless LAN router|using a nested wireless LAN router]] below.)

(Note: If you want your LAN to use the same subnet as your WAN, see [[#Network Interfaces Bridging|network interface bridging]].)

* Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter

* Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd

* Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server

::Change the line
INTERFACES=""
::to
INTERFACES="eth0"

* Restart the DHCP server:
sudo dhcpd restart

* Right click on Network-Manager -> Edit Connections... -> Wired -> Add
: -> Connection name: ''Shared internet connection''
: -> IPv4 Settings -> Method: Manual -> Add
: -> Address: ''10.0.0.1'' -> Netmask: ''255.255.255.0'' -> Gateway: 0.0.0.0
: -> Available to all users: [x]

* Attach the ethernet cable to (eth0).
:Network-Manager -> Wired Networks -> ''Shared internet connection''

* Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter

:* Tell the firewall which port is your direct Internet Connection:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Internet connected network device: (wlan0)
:-> IP address is assigned by DHCP: [x]

:* Tell the firewall which port is for the LAN, and specify the details for the LAN:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Local network connected device: (eth0)
:-> Enable internet connection sharing: [x]
:-> Enable DHCP for the local network: [x]
:: -> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: ''10.0.0.2''
:: -> Highest IP address to assign: ''10.0.0.250'' -> Name server: <dynamic>

:Note: Use your own desired LAN settings (internal [http://en.wikipedia.org/wiki/Static_IP#Static_and_dynamic_IP_addresses DHCP-assigned dynamic IP] address range), of course. In this example I don't use the full IP range ''10.0.0.2 - 10.0.0.255'' for dynamic IP addresses because I want to reserve some LAN addresses (''10.0.0.251 - 10.0.0.255'') to be used as static IP addresses).

* Notes:
:* If you wish to use this setup all the time, make the "''Shared internet connection''" profile your default connection profile in Network Manager.

=== Using a nested wireless LAN router ===
Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as '''nested LANs'''. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range ''10.0.0.1 - 10.0.0.255'' (with netmask ''255.255.255.0''), as in the above example. The router's nested wireless LAN must then use a different IP range (for example ''192.168.0.1 - 192.168.0.255'' with netmask ''255.255.255.0'').

* Do not use your wireless router's WAN (Internet) port.
* Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
* Configure your wireless router's LAN so that it appears to be a ''single device'' to the main LAN:
:* Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. ''10.0.0.254''), and make sure the subnet mask matches the one you chose for your main LAN (e.g. ''255.255.255.0''). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. ''10.0.0.1'' in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
:* If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of ''192.168.0.1'' (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be ''192.168.0.2'' or greater. (Some routers ask you to specify the entire range (such as ''192.168.0.2 - 192.168.0.255''.)
* Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP ''192.168.0.1'') instead of from the main LAN gateway.
* Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
* Note: The host computer for the main LAN must have a static IP address (e.g. ''10.0.0.1'' as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

=== Network Interfaces Bridging ===
* Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils

* Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:
auto eth0
iface eth0 inet manual
#
auto br0
iface br0 inet dhcp
#
bridge_ports eth0 wlan0
#
# The loopback network interface
auto lo
iface lo inet loopback

* Restart networking with:
sudo /etc/init.d/networking restart

== Using Dynamic IP addresses for a webserver ==
Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment static IP address], then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment dynamic] (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a Dynamic DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few Dynamic DNS services that will do this for you, either for a small fee or even for free. For more info, see [https://help.ubuntu.com/community/DynamicDNS this Ubuntu Community help] article.

For specific tips on setting up Dynamic DNS, see [[Dynamic IP servers|this article]].

== Filesharing ==
=== NFS ===
NFS is the default networking protocol for network file sharing in *nix systems (including (K)Ubuntu Linux). Here are some tips for setting up NFS from the [http://mostlylinux.wordpress.com/network/nfshowto/ Little Girl's Mostly Linux Blog].

=== Samba File Sharing ===
==== Samba client ====
Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu and should work seamlessly (unless you have have a firewall blocking the ports).

==== Samba server ====
[http://www.samba.org/ Samba] provides file/print services for the SMB/CIFS protocol used in Windows-based networks. See the [https://help.ubuntu.com/10.10/serverguide/C/windows-networking.html official Ubuntu documentation] for more information about providing services in a Windows network. A Samba server can be installed using the tasksel option during installation of the Ubuntu [[Kubuntu_Precise_Servers#Servers|server]] from the LiveCD, or at any time using:
sudo tasksel install samba-server

* An alternative method of installation is:
sudo apt-get install samba samba-tools system-config-samba smbfs

:Note: samba-tools, system-config-samba, and smbfs are optional.

* Modify Samba settings.
:*Method 1:

:Menu -> System -> Administration -> Samba
:(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare [[Kubuntu_Precise_User_Administration#Users_and_Groups|group]], as well.

:* Method 2:
:Enable File Sharing Server With User Login (Very Reliable Method)

:Do the following on the machine that has the files to be shared:

::* Add current user to Samba:
sudo smbpasswd -a username
::(replacing username with your login username)

::* Open the samba config file:

sudo nano /etc/samba/smb.conf

::* Add the directories to be added (right at the end) in the following format:

[Pictures]
path = /home/username/<folder_to_be_shared>

::(Replace username with your username and <folder_to_be_shared> with the folder you want to share)

::Press CTRL+X and then Y to save.

::* Restart Samba:
sudo service smbd restart
sudo service nmbd restart

:::Note: Prior versions used:
sudo /etc/init.d/samba restart

* On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server which is serving the folder)

* On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported [https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/95452 here]. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy

==== Change your Workgroup ====
To change your Samba (Windows network) workgroup:
sudo nano /etc/samba/smb.conf

Look for the line:
workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

==== Recognizing Win98 machines ====
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no

=== Integrating into Mac OS X Network ===
See [http://www.zaphu.com/2008/04/30/five-guides-on-how-to-integrate-ubuntu-into-a-mac-os-x-network/ this guide] for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

=== FTP Server ===
An FTP server allows the easy transfer of files between systems over the network. Clients such as [[Kubuntu_Precise_Internet#Filezilla|Filezilla]] can be used to interact with an FTP server. Also see these [[FTP_tips|FTP tips]].

==== vsftpd ====
[http://vsftpd.beasts.org/ vsftpd] is an FTP server available in (K)Ubuntu. For configuration information, see the [https://help.ubuntu.com/11.10/serverguide/C/ftp-server.html official Ubuntu documentation]. Install:
sudo apt-get install vsftpd

==== proftpd ====
[http://www.proftpd.org/ Proftpd] is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the [https://help.ubuntu.com/community/ProFTPD Ubuntu Community documentation]. Install:
sudo apt-get install proftpd-basic

=== WebDAV ===
[[File:Prefapp1.png|18 px]] [http://en.wikipedia.org/wiki/WebDAV WebDAV] is a method for allowing remote access to local folders via an HTTP-based web browser or file manager. This can be combined with user authentication (using LDAP or other password mechanism).

* See [[WebDAV|this page]] for instructions.

== Local Area Network ==

== Modems / Dial-up ==
Network Manager does not accept modem connections. See [https://help.ubuntu.com/10.10/internet/C/modem.html Ubuntu help] for information on identifying and connecting with a modem. These instructions require gnome-network-admin (install while connected to a wired ethernet connection):
sudo apt-get install gnome-network-admin

=== Gnome PPP and wvdial ===
[http://en.wikipedia.org/wiki/Gnome-ppp Gnome PPP] is a discontinued GUI frontend for the [http://alumnit.ca/wiki/index.php?page=WvDial wvdial] PPP modem dialer. It is still available as a package. Install:
sudo apt-get install gnome-ppp wvdial

See [http://ubuntuforums.org/showthread.php?t=931872 this forum thread] for tweaks required to make Gnome PPP and wvdial operational in Lucid.

=== GPPP ===
GPPP was the default modem dialing application in previous versions of Ubuntu.

:Menu -> Applications -> Internet -> GPPP Internet Dial-up

= Remote Access =
There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

== SSH ==
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

=== Connect to a remote SSH server ===

==== From the command-line terminal ====
Install the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 OpenSSH] client (if not already installed):
sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C <username>@<computer name or IP address>

:Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz

:or:

ssh -C mike@192.168.1.1

:or
ssh -C 192.168.1.1 -l mike

:Note: -l specifies the login id.

If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022

:or

ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/''user''/.ssh. The key should be accessible only to ''user''
sudo chmod 600 /home/''user''/.ssh/identity

:or

sudo chmod 600 /home/''user''/.ssh/id_rsa

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

==== Port forwarding through SSH ====
* See [[Using_SSH_to_Port_Forward|Using SSH to Port Forward]] for full details.

* In brief, use
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port.
To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
krdc vnc://localhost:<local port>

Note: ''localhost'' is equivalent to (and interchangeable with) ''127.0.0.1''. Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as [[#X11VNC_Server|X11VNC]]) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote '''computer''' (such as 192.168.1.155) instead of the remote '''router''''s IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

''Example'':
For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155. I have set up an [[#X11VNC_Server|X11VNC server]] on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

=== PuTTY ===
[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage [[#OpenSSH Public Key Authentication|OpenSSH]] is generally recommended instead).
sudo apt-get install putty putty-tools

* To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use [http://linux.die.net/man/1/puttygen Puttygen] (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend [[#OpenSSH Public Key Authentication|OpenSSH keygen]] for routine usage instead):
puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
puttygen putty_rsa.ppk -O private-openssh -o id_rsa

* Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/''user''/.ssh) folder
mv id_rsa* ~/.ssh

* [[#OpenSSH Public Key Authentication|Copy the public key]] ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:

ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

* Connect a VNC client (such as Krdc) through SSH using the command-line:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22''
krdc vnc://127.0.0.1:5900

:or as a single command:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22'' sleep 5; krdc vnc://127.0.0.1::5900

* Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

==== Using keys created by Puttygen in OpenSSH ====
The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see [http://unixwiz.net/techtips/putty-openssh.html this tutorial]), the public key looks like:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100302"
AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6k
unPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYD
ZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9
YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvC
bYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykee
RwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
---- END SSH2 PUBLIC KEY ----

* To be used by OpenSSH, the saved public key must be edited.
:* Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
:* Join the remaining lines into a single line.
:* Place ssh-rsa at the beginning.
:* It should end up looking like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==

* Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

=== Connect using SSH Agent ===
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See [http://kimmo.suominen.com/docs/ssh/#ssh-agent this tutorial].

Also see this alternative simple approach: [[#Connect with SSH and start an application with a single command|Connect with SSH and start an application with a single command]].

=== Setup an SSH server ===
[[File:Prefapp1.png|18 px]] Install the [https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html OpenSSH] server:
sudo apt-get install openssh-server

:or
sudo apt-get install tasksel
sudo tasksel install openssh-server

Note: The OpenSSH server can also be installed when doing a [[Kubuntu_Precise_Servers#Servers|server]] installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See [http://pigtail.net/LRP/printsrv/cygwin-sshd.html these instructions].

* Don't forget to forward the port on which your OpenSSH server is listening. The default SSH port is 22; if the default is used, the router should therefore forward port 22 to the computer on the LAN that is hosting the OpenSSH server. The OpenSSH listening port can be changed; in fact, each computer on the LAN can listen on its own unique SSH port, if desired. The router must forward each specified listening port to the correct computer. Therefore, if computer 1 has its OpenSSH server set to listen on port 22221, then the router should forward port 22221 to computer 1's LAN IP address. If computer 2 has its OpenSSH listening port set to 22222, then obviously the router must forward port 22222 to computer 2's LAN IP address. To change the listening port of the OpenSSH server, edit the /etc/ssh/sshd_config file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/ssh/sshd_config

and change the listening port from 22 to your desired listening port:
Port ''22221''

then restart the OpenSSH server:
sudo /etc/init.d/ssh restart

:* For greater port security (and to minimize [http://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]), consider using [[Kubuntu_Precise_Network_Management#Knockd_.28Port_security.29|Knockd]].

==== Limit authorized SSH users ====
* See [[Limit_the_user_accounts_that_can_connect_through_OpenSSH_remotely|Limit the user accounts that can connect through OpenSSH remotely]]

==== OpenSSH Public Key Authentication ====
See this [http://sial.org/howto/openssh/publickey-auth/ OpenSSH Public Key Authentication Tutorial].

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/''user''/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

:* The private key must only be accessible (and should be read-only) to ''user'', the owner of the file:
chmod 600 /home/''user''/.ssh/id_rsa

::You could also make the entire .ssh folder accessible only to ''user'':

chmod 700 /home/''user''/.ssh

* Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

:* The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.):
cd ~/.ssh
chown ''serveruser'' id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys

* Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config

:*Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys

* Remove the ability to login to the OpenSSH server using password authentication:
sudo nano /etc/ssh/sshd_config

:* Change the line
#PasswordAuthentication yes
:to
PasswordAuthentication no

* Restart the OpenSSH server:
sudo /etc/init.d/ssh restart

* Now you can connect securely with an SSH tunnel without requiring a password, logging in as ''serveruser''.

ssh -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p ''22''

==== Connect with SSH and start an application with a single command ====
* If you have created an [[#OpenSSH Public Key Authentication|OpenSSH key pair]] (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p 22 sleep 5; krdc vnc://127.0.0.1::5900
:* Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

* Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

==== Automate SSH connections that require a password ====
This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the [[#OpenSSH Public Key Authentication|OpenSSH key pair]] methods described above, instead. This method is listed here for reference.

* Terminal interactions (such as the SSH password challenge) can be automated using the [http://linux.die.net/man/1/expect expect] utility. Install:
sudo apt-get install expect

* If, for example, your SSH client ID is ''clientuserID'', yourpassword is ''not#1sostrong'', and the remote SSH server is ''remoteserver.computer.xyz'' (using the default SSH port of ''22''), then use this command to start the SSH tunnel:

expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. ''5900'' and ''5901'' are the ports to be used on either side of the tunnel (port ''5900'' is used for VNC, for example). See [[#Port_forwarding_through_SSH|Port forwarding through SSH]] for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).

== VNC ==
Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as [[#X11VNC_Server|X11VNC]], [[#Vino Remote Desktop VNC server|Vino]], or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as [http://www.uvnc.com/docs/uvnc-viewer.html UltraVNC Viewer].)

=== Vino Remote Desktop VNC server ===
Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

:Menu -> System -> Preferences -> Remote Desktop

* You can accept uninvited connections in the Security section. You can require a password for these connections.
* This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use [[#X11VNC_Server|X11VNC]] instead.

* A user can connect using [[#Vinagre VNC client|Vinagre]], the [[#Terminal Server Client|Terminal Server Client]], or any other VNC client.

==== How to securely use VNC with SSH tunneling ====
It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under [[#Port forwarding through SSH|SSH port forwarding]], the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

=== X11VNC Server ===
[[File:Prefapp1.png|18 px]] While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.
* Install an X11VNC server to share your desktop with other computer:
sudo apt-get install x11vnc

* Run X11VNC without a password:
x11vnc -forever -rfbport 5900

:Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See [http://www.karlrunge.com/x11vnc/x11vnc_opts.html here] for more command line options.

* Create a password to use with X11VNC:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass

* X11VNC can then be started with a password:
x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0

* You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.config/autostart/x11vnc.sh
chmod +x ~/.config/autostart/x11vnc.sh

:* You can test the startup script:
~/.config/autostart/x11vnc.sh

==== Using VNC with SSH ====
See [[#Port forwarding through SSH|Port forwarding through SSH]] for additional information.

=== Vinagre VNC client ===
[http://library.gnome.org/users/vinagre/stable/index.html.en Vinagre] is the default Gnome-based VNC client used in Ubuntu.
* Menu -> Applications -> Internet -> Remote Desktop Viewer

=== Terminal Server Client ===
The Terminal Server Client is an Ubuntu/Gnome frontend for [http://www.rdesktop.org/ rdesktop] (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.
* Menu -> Applications -> Internet -> Terminal Server Client

* To use it with VNC, one of the VNC clients must be installed first. For example, install the [http://www.tightvnc.com/ TightVNC] client:
sudo apt-get install xtightvncviewer

:*Note that the TightVNC client can be used from the command line (or as a menu item) directly:
vncviewer ''192.168.0.12''::''5900''

:where ''192.168.0.12'' is an example ''host'' location that is running a VNC server on port 5900. For more command-line options, use
man vncviewer

=== Krdc VNC client ===
[[File:Prefapp1.png|18 px]] Krdc is the default VNC client in Kubuntu/KDE but can be used in GNOME. It can be used for both VNC and RDP connections. Installing it will also install the Qt platform and many KDE utilities (a large download).
sudo apt-get install krdc

* Run:
:Menu -> Applications -> Internet -> Krdc

* The command-line connection (for use as a menu-item, for example) is:
krdc vnc://<remote IP>

* If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc vnc://<remote IP>:<remote port>

* Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol).
krdc rdp://<remote IP>:<remote port>

==== Using a VNC client with SSH ====
See [http://jeltsch.org/node/209 this howto] for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an [[#Port forwarding through SSH|SSH tunnel with port forwarding]] using Putty or the command line:
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
::then you would start a VNC client such as Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use
krdc vnc://localhost

=== XVNC4Viewer VNC Client ===
XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:
sudo apt-get install xvnc4viewer

=== Automatic user login (for use with VNC) ===
VNC only works if a user is logged in. When a computer (hosting one or more servers) is intended to start up unattended and VNC (with or without SSH tunneling) is to be used, the computer ought to start with the primary user logged in. To accomplish this:
:Menu -> System -> System Settings -> Login Manager -> Convenience -> Enable Auto-Login (''ticked'') -> Lock session (''ticked'')
::-> Pre-select user: Specified: ''Choose primary user'' (i.e. the user hosting the SSH tunnel, if any, and the VNC server)
::-> Automatically log in again after X server crash (''ticked'')

* Also make sure the VNC server is set to Autostart at bootup.

== FreeNX ==
[https://help.ubuntu.com/community/FreeNX FreeNX] is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

=== FreeNX Server ===
The Free server .deb package can be downloaded from [http://www.nomachine.com/select-package.php?os=linux&id=1 No Machine free server downloads].

* Alternatively, [[Kubuntu_Precise_Repositories#Add_Extra_Repositories|add the following repositories]]:
sudo add-apt-repository ppa:freenx-team

* Install the package:
sudo apt-get update
sudo apt-get install freenx

=== FreeNX Client ===
Download the self-installing .deb file from [http://www.nomachine.com/select-package-client.php No Machine Client downloads].

== XDMCP ==
[http://www.tldp.org/HOWTO/XDMCP-HOWTO/index.html XDMCP] allows a separate remote login by an authorized user. This login is separate from the local user.
*XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:

gedit /etc/gdm/custom.conf

* Find and change (or add) the line from false to true so that it reads:

[Xdmcp]
Enable=true

=== Telnet ===
SSH is, basically, secure Telnet.

== VPN clients ==
A [http://en.wikipedia.org/wiki/Virtual_private_network VPN] (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.

=== VPN through Network Manager ===
* The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get install network-manager-vpnc

* To connect to a VPN network using OpenVPN (SSL), install the plugin:
sudo apt-get install network-manager-openvpn

* To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp

* Configure:
::Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

=== vpnautoconnect (vpn daemon) ===
[http://sourceforge.net/projects/vpnautoconnect/ vpnautoconnect] is a daemon to allow automatic vpn connections through Network Manager. [http://sourceforge.net/projects/vpnautoconnect/files/ Download] and install the .deb package for your OS version.

=== Other VPN clients ===
Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):
:* [http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc vpnc], [http://grml.org/online-docs/grml-vpn.8.html grml-vpn] -- for Cisco-compliant (IPSec) VPN networks
:* [http://www.openswan.org/ openswan] -- for IPSec (OpenSwan) VPN networks
:* [http://pptpclient.sourceforge.net/ pptp-linux] -- for PPTP (MS Windows-compliant) VPN networks
:* [http://openvpn.net/ openvpn], gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

== VPN servers ==
=== OpenVPN ===
[http://openvpn.net/ OpenVPN] is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):
sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:
sudo apt-get install gadmin-openvpn-server

Also see [[OpenVPN_server|these installation tips]].

=== Poptop (PPTP Server) ===
[http://poptop.sourceforge.net/ Poptop] is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:
sudo apt-get install pptpd

=== OpenSwan ===
[http://www.openswan.org/ OpenSwan] is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:
sudo apt-get install openswan linux-patch-openswan

= Security =
Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to [http://www.psychocats.net/ubuntu/security#bestpractices Ubuntu Security Best Practices] is available. Recommended reading includes the book ''[http://www.harpercollins.com/books/9780061962233/Cyber_War/index.aspx Cyber War]'' by [http://en.wikipedia.org/wiki/Richard_A._Clarke Richard Clark] and [http://news.cnet.com/8301-27080_3-20004505-245.html this interview] with Joe Weiss (IT advisor for the energy-sector smart grid). Also read [http://money.cnn.com/2013/04/08/technology/security/shodan/index.html?iid=HP_LN read this CNN Money article].

== Firewall ==
Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify [http://en.wikipedia.org/wiki/Iptables iptables], which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.) Also see the [https://help.ubuntu.com/12.04/serverguide/firewall.html official Ubuntu documentation].

=== Firestarter ===
[[File:Prefapp1.png|18 px]] [http://www.fs-security.com/ Firestarter] is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI.
sudo apt-get install firestarter

==== Firestarter fails to open system log ====
This is a problem in Precise. See the [[Syslogd_to_rsyslog|solution here]].

=== Guarddog ===
[http://www.simonzone.com/software/guarddog/ Guarddog] is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners.
sudo apt-get install guarddog

=== Uncomplicated Firewall ===
[http://wiki.ubuntu.com/UncomplicatedFirewall Uncomplicated Firewall] is installed in (K)Ubuntu by default, but all ports are open initially. It is configurable through the [[Kubuntu_Precise_Introduction#General_Notes|command-line interface]]. See [http://ubuntuforums.org/showthread.php?t=823741 this forum thread], [http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html or this usage tutorial], or [https://help.ubuntu.com/community/UFW Ubuntu community help] for tips on how to set up and use it.
If not installed, it can be installed:
apt-get install ufw

==== Gufw ====
[http://gufw.tuxfamily.org/index.html Gufw] is a graphical user interface for Uncomplicated Firewall. Install:
sudo apt-get install gufw

== Anti-virus ==
* If you are running a file server, interface frequently with Windows drives or share files with Windows users, or use virtualization, you will want a virus checker for your Windows files.

* Despite extensive minsinformation, Linux is not immune from malware (witness the explosion of malware being created for the Linux-based Google Android systems). The malware is not usually spread within the OS itself (as long as the OS is a well-respected distribution obtained through official channels), but in trojan programs downloaded and installed by users outside of the normal software distribution channels (i.e. repositories) of the OS. There is always a danger to using programs downloaded from the Internet from sources other than respected repositories -- it is the primary reason that Debian and (K)Ubuntu retain tight control over their software repositories.

* Any file can have malware embedded in it (which is trivial to achieve by concatenation, for example: ''cat originalfile.avi malware.exe > originalfileplusmalware.avi''). The question is whether a user will try to open a file with a program (such as a media player) that has been compromised in a way that allows it to execute the code found in the infected media (e.g. .avi) file. This can occur not only for Windows users but for any OS (including Mac OSX and Linux) with a compromised program (e.g. media player). An example is the extensive problems the Mac OS community is currently having with the Flash player.

* Routine scanning of any file downloaded from the Internet, any file imported from another user's computer (even a trusted source, since their attention to virus prevention may not be as compulsive as yours), or any attachment received in an email (even from a trusted sender) should be done with an anti-virus program.

=== ClamAV ===
[[File:Prefapp1.png|18 px]] [http://www.clamav.net/ ClamAV] is the open source virus tool for Linux. To install ClamAV:
sudo apt-get install clamav

* If an error is returned: "The database directory must be writable for UID 1000 or GID 1000" in order for the virus database to be updated, then change the ownership of the installation directory (/var/lib/clamav):
sudo chown 1000 /var/lib/clamav

==== ClamTk (ClamAV GUI) ====
[http://clamtk.sourceforge.net/ ClamTk] is a GTK-based GUI frontend for ClamAV. Install:
sudo apt-get install clamtk

=== AVG ===
[http://free.avg.com/us-en/download.prd-afl AVG] offers a free virus scanner for Linux in a .deb package. Download and install from the website.
=== Avast ===
[http://www.avast.com/linux-home-edition Avast] offers a Linux edition (for home users only) in a .deb package. Download and install from the website.

== Anti-spam ==

=== Spam Assasin ===
[http://spamassassin.apache.org/ SpamAssasin] is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:
sudo apt-get spamassassin

== Rootkit checkers ==
[http://en.wikipedia.org/wiki/Rootkit Rootkits] are malicious [http://en.wikipedia.org/wiki/Trojan_horse_(computing) trojan]-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a [[Kubuntu_Precise_System_Backup#Run_.28K.29Ubuntu_LiveCD_from_a_USB_pendrive|USB pendrive with an Ubuntu LiveCD installation]]. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).

=== Chkrootkit ===
[http://www.chkrootkit.org/ Chkrootkit] checks locally for signs of a rootkit. See the [http://www.chkrootkit.org/README chkrootkit manual] for usage instructions.
:Install:
sudo apt-get install chkrootkit
:Run:
sudo chkrootkit

=== Rootkit Hunter ===
[http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit Hunter] is compatible with (K)Ubuntu systems. See the [http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 usage instructions].
:Install:
sudo apt-get install rkhunter
:Run:
sudo rkhunter

=== Malicious commands to avoid ===
There are many [[Malicious_Linux_Commands|malicious commands]] to be avoided in Linux (as in all operating systems). It is worthwhile to be aware of these dangerous commands so that they are not executed by accident or by malicious advice.

== USB drives ==
USB drives are a major source of security risk and means of data theft.

* An administrator password should be set for the computer BIOS and booting from a USB drive or CD/DVD should be disabled. (Otherwise, any passerby can boot their own OS and then use it to steal data from the hard drive.)

* See [http://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/ this article] for methods of restricting USB usage to authorized users.

== Prevent unauthorized boots and system access ==
Many computers are kept in places where casual passersby may have an opportunity to access the computer, unobserved for short periods. In addition to physical precautions to prevent or slow computer theft (such as locked cases, alarms, and security cables similar to those used to slow bicycle theft), [http://www.pcworld.com/article/114727/lock_down_your_pc.html precautions] should be taken to prevent an unauthorized operating system from being booted using an external device (such as USB drive). Once such as external OS is booted, it can be used to access most hard drive(s) on the computer and the contents copied to a second external device (to be examined or unencrypted later). This is a common means of data theft that is fast and easy to accomplish, and means to deter it should be taken on any public or semi-public computer.

* Set BIOS to restrict bootup to the hard drive only.
:* Set a Supervisor/Administrator password for your computer's BIOS. (I recommend writing it down and taping it to the inside cover of the computer case prior to locking the computer case.) Disable booting from all devices except the hard drive. Setting the hard drive as the first priority boot device is not enough, as most current BIOS menus allow manual selection of any enabled boot devices. Only the hard drive should be left enabled.

* Enable Hard Drive locking, if your computer's BIOS allows it. Most hard drives allow a password to be set by the BIOS and stored in a chip on the hard drive controller which can only be reset by disassembling the hard drive. (Some manufacturers provide a backdoor security key, however.) BIOS versions found on newer computers/laptops allow this password to be set in the BIOS, so that only a BIOS containing the correct password can unlock the hard drive. (If the hard drive is then removed from the computer, it cannot be accessed by any BIOS that does not have the correct password or backdoor security key.) Note, however, that this precaution does not protect against booting from external devices if the BIOS is still set to allow that.
:* There is a risk to this security measure. If you forget the password and the BIOS passwords somehow get reset, the hard drive would become inaccessible. The BIOS and Hard Drive password(s) should always be stored in a safe location.

* Password protect the Grub bootloader. Without password protection, Grub can be used to circumvent BIOS restrictions. See this section for [[Kubuntu_Precise_System_Administration#Protecting_Grub2_from_cracking|Grub Legacy]] and this section for [[Kubuntu_Precise_System_Administration#Protecting_Grub2_from_cracking|Grub2]].

* Make sure all user accounts are protected by a [[Kubuntu_Precise_Privacy#Passwords_and_file_authentication|password]], and always require passwords for login. Never create an "administrator" user account (hidden or not) and leave it unprotected by a password. Never enable automatic login without a password to any user account.
:* It is possible to enable [[Kubuntu_Precise_Tips#Automatic_user_login|automatic login]] to a preferred password-protected user account while simultaneously enabling a password-protected screensaver (the password for which must still be entered even before initial user access). This is a reasonable solution that offers protection while still allowing automatic login.

* Make sure a password-protected [[Kubuntu_Precise_Utilities#Screensavers|screensaver]] is always enabled (that will engage after a reasonably short period of inactivity).

Template:K Quantal/Networking

Perspectoff — Sun, 19 May 2013 12:22:16 GMT

Perspectoff: /* Prevent unauthorized boots and system access */

= Networking =
Only one network manager and GUI interface can be enabled. Network-Manager is installed by default and works for both wired and wireless connections, and for both static and dynamic (DHCP-assigned) IP addresses. In the past, some users have preferred the [http://wicd.sourceforge.net/ Wicd] network manager, however, and it can be installed instead.

== Network Manager ==
[http://en.wikipedia.org/wiki/NetworkManager Network Manager] is the network manager installed by default in (K)Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or a wired connection).

* After installation on my system with a wired ethernet connection and manual settings for /etc/network/interfaces, Network Manager was disabled by default ("unmanaged") at installation. To activate Network Manager and allow it to manage networking settings, I edited a file (following the advice in [http://ubuntuforums.org/showthread.php?t=1451064 this thread]):
kdesudo kate /etc/NetworkManager/NetworkManager.conf

and changed the following section so that it read ''true'' instead of ''false'':
[ifupdown]
managed=true

Also, I double checked the /var/lib/NetworkManager/NetworkManager.state file to make sure that Networking was enabled:
[main]
NetworkingEnabled=true

I then restarted Network Manager:
sudo /etc/init.d/network-manager restart

* When using Network Manager to manage the settings, the default setting is to obtain an IP address from the DHCP server on the network. However, I customised the Wired Connection to accept my static IP address as a "manual" (IPv4) IP address and set my custom DNS servers (I don't use the DNS servers of my ISP for security reasons) and a random MAC address (which I change periodically to limit tracking).

* Quantal is the first version of Kubuntu in which Network Manager reliably worked for me on both wired and wireless connections. When installing on a laptop with a wireless connection, it worked (in DHCP mode) without any additional configuration. Settings could then be set through the Network Manager plasma widget on the panel bar, including the ability to manually configure a static IP address for the wireless connection, as well.

== Wicd Network Manager ==
[[File:Prefapp1.png|18 px]] [http://wicd.sourceforge.net/ Wicd Network Manager] is a GTK-dependent networking manager written in Python that can be used in all variants of (K)Ubuntu. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation.
sudo apt-get remove network-manager network-manager-pptp plasma-widget-networkmanagement network-manager-kde
sudo reboot
sudo apt-get install wicd

Note: You must have a wired connection in order to install Wicd. Either install it prior to removing Network Manager or be sure the /etc/network/interfaces configuration file is properly configured manually so the default network interface allows you to access the Internet through a wired connection:
kdesudo kate /etc/network/interfaces

and remove the ''#NetworkManager#'' comments, if present and makes sure the file contents resemble:

# The loopback network interface
auto lo
iface lo inet loopback
#
# The primary network interface
auto eth0
iface eth0 inet dhcp

Then restart networking:
sudo /etc/init.d/networking restart

This restores the default networking, and then Wicd can be installed. Once Wicd is installed, the connection settings can be changed through Wicd.

== Set a static IP address ==
* Quantal is the first version of Kubuntu in which I have been able to get Network Manager to accept my static IP address settings (for both wired and wireless connections).
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> IPv4 address -> Method: Manual -> IP Address: ''192.168.0.111'' -> Subnet Mask: ''255.255.255.0'' -> Gateway: ''192.168.0.1'' -> OK

:I also add the DNS servers I like to use (I don't use the DNS servers of my ISP for [[Kubuntu_Quantal_Privacy#DNS_Servers_and_Search_engines|security]] reasons).

* If you only use only a wired interface, you do not need a network manager and it can be removed if desired. Doing so requires configuring the networking settings manually.

:* In Quantal, Network Manager does not need to be removed if manual settings are used in /etc/network/interfaces. To allow the settings to take effect (and the network connection to be "unmanaged" by Network Manager), edit /etc/NetworkManager/NetworkManager.conf:

sudo kate /etc/NetworkManager/NetworkManager.conf

and change the following section so that it reads ''false'':
[ifupdown]
managed=''false''

Then restart Network Manager:
sudo /etc/init.d/network-manager restart

:* Edit the /etc/network/interfaces file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces

:* and replace the line (ok if line is missing)
iface eth0 inet dhcp

:* with the following lines (using your own LAN settings and desired DNS-nameservers, of course):
auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

:* Then restart networking:
sudo /etc/init.d/networking restart

:* Check to see if your settings are now correct:
ifconfig

* The [[#Wicd_Network_Manager|Wicd]] network manager also allows a wireless connection to have a static IP.

=== Manual configuration from the command-line ===

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

sudo mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
sudo echo network = { > wpa_supplicant.conf
sudo echo ssid="SSID" >> wpa_supplicant.conf
sudo echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
sudo echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
sudo echo } >> wpa_supplicant.conf
cd /etc/network
sudo gedit interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." :

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file and restart your system.

== Internet connection sharing (DHCP server) ==
In most LANs, an inexpensive router is used to provide [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your [http://en.wikipedia.org/wiki/Local_area_network LAN] if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to [[#Using a nested wireless LAN router|nest LANs]]). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range ''10.0.0.1 - 10.0.0.250'' with netmask ''255.255.255.0'' and gateway ''10.0.0.1''). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet ([http://en.wikipedia.org/wiki/Wide_area_network WAN]) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see [[#Using a nested wireless LAN router|using a nested wireless LAN router]] below.)

(Note: If you want your LAN to use the same subnet as your WAN, see [[#Network Interfaces Bridging|network interface bridging]].)

* Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter

* Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd

* Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server

::Change the line
INTERFACES=""
::to
INTERFACES="eth0"

* Restart the DHCP server:
sudo dhcpd restart

* Right click on Network-Manager -> Edit Connections... -> Wired -> Add
: -> Connection name: ''Shared internet connection''
: -> IPv4 Settings -> Method: Manual -> Add
: -> Address: ''10.0.0.1'' -> Netmask: ''255.255.255.0'' -> Gateway: 0.0.0.0
: -> Available to all users: [x]

* Attach the ethernet cable to (eth0).
:Network-Manager -> Wired Networks -> ''Shared internet connection''

* Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter

:* Tell the firewall which port is your direct Internet Connection:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Internet connected network device: (wlan0)
:-> IP address is assigned by DHCP: [x]

:* Tell the firewall which port is for the LAN, and specify the details for the LAN:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Local network connected device: (eth0)
:-> Enable internet connection sharing: [x]
:-> Enable DHCP for the local network: [x]
:: -> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: ''10.0.0.2''
:: -> Highest IP address to assign: ''10.0.0.250'' -> Name server: <dynamic>

:Note: Use your own desired LAN settings (internal [http://en.wikipedia.org/wiki/Static_IP#Static_and_dynamic_IP_addresses DHCP-assigned dynamic IP] address range), of course. In this example I don't use the full IP range ''10.0.0.2 - 10.0.0.255'' for dynamic IP addresses because I want to reserve some LAN addresses (''10.0.0.251 - 10.0.0.255'') to be used as static IP addresses).

* Notes:
:* If you wish to use this setup all the time, make the "''Shared internet connection''" profile your default connection profile in Network Manager.

=== Using a nested wireless LAN router ===
Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as '''nested LANs'''. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range ''10.0.0.1 - 10.0.0.255'' (with netmask ''255.255.255.0''), as in the above example. The router's nested wireless LAN must then use a different IP range (for example ''192.168.0.1 - 192.168.0.255'' with netmask ''255.255.255.0'').

* Do not use your wireless router's WAN (Internet) port.
* Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
* Configure your wireless router's LAN so that it appears to be a ''single device'' to the main LAN:
:* Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. ''10.0.0.254''), and make sure the subnet mask matches the one you chose for your main LAN (e.g. ''255.255.255.0''). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. ''10.0.0.1'' in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
:* If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of ''192.168.0.1'' (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be ''192.168.0.2'' or greater. (Some routers ask you to specify the entire range (such as ''192.168.0.2 - 192.168.0.255''.)
* Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP ''192.168.0.1'') instead of from the main LAN gateway.
* Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
* Note: The host computer for the main LAN must have a static IP address (e.g. ''10.0.0.1'' as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

=== Network Interfaces Bridging ===
* Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils

* Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:
auto eth0
iface eth0 inet manual
#
auto br0
iface br0 inet dhcp
#
bridge_ports eth0 wlan0
#
# The loopback network interface
auto lo
iface lo inet loopback

* Restart networking with:
sudo /etc/init.d/networking restart

== Using Dynamic IP addresses for a webserver ==
Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment static IP address], then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment dynamic] (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a Dynamic DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few Dynamic DNS services that will do this for you, either for a small fee or even for free. For more info, see [https://help.ubuntu.com/community/DynamicDNS this Ubuntu Community help] article.

For specific tips on setting up Dynamic DNS, see [[Dynamic IP servers|this article]].

== Filesharing ==
=== NFS ===
NFS is the default networking protocol for network file sharing in *nix systems (including (K)Ubuntu Linux). Here are some tips for setting up NFS from the [http://mostlylinux.wordpress.com/network/nfshowto/ Little Girl's Mostly Linux Blog].

=== Samba File Sharing ===
==== Samba client ====
Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu and should work seamlessly (unless you have have a firewall blocking the ports).

==== Samba server ====
[http://www.samba.org/ Samba] provides file/print services for the SMB/CIFS protocol used in Windows-based networks. See the [https://help.ubuntu.com/10.10/serverguide/C/windows-networking.html official Ubuntu documentation] for more information about providing services in a Windows network. A Samba server can be installed using the tasksel option during installation of the Ubuntu [[Kubuntu_Quantal_Servers#Servers|server]] from the LiveCD, or at any time using:
sudo tasksel install samba-server

* An alternative method of installation is:
sudo apt-get install samba samba-tools system-config-samba smbfs

:Note: samba-tools, system-config-samba, and smbfs are optional.

* Modify Samba settings.
:*Method 1:

:Menu -> System -> Administration -> Samba
:(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare [[Kubuntu_Quantal_User_Administration#Users_and_Groups|group]], as well.

:* Method 2:
:Enable File Sharing Server With User Login (Very Reliable Method)

:Do the following on the machine that has the files to be shared:

::* Add current user to Samba:
sudo smbpasswd -a username
::(replacing username with your login username)

::* Open the samba config file:

sudo nano /etc/samba/smb.conf

::* Add the directories to be added (right at the end) in the following format:

[Pictures]
path = /home/username/<folder_to_be_shared>

::(Replace username with your username and <folder_to_be_shared> with the folder you want to share)

::Press CTRL+X and then Y to save.

::* Restart Samba:
sudo service smbd restart
sudo service nmbd restart

:::Note: Prior versions used:
sudo /etc/init.d/samba restart

* On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server which is serving the folder)

* On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported [https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/95452 here]. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy

==== Change your Workgroup ====
To change your Samba (Windows network) workgroup:
sudo nano /etc/samba/smb.conf

Look for the line:
workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

==== Recognizing Win98 machines ====
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no

=== Integrating into Mac OS X Network ===
See [http://www.zaphu.com/2008/04/30/five-guides-on-how-to-integrate-ubuntu-into-a-mac-os-x-network/ this guide] for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

=== FTP Server ===
An FTP server allows the easy transfer of files between systems over the network. Clients such as [[Kubuntu_Quantal_Internet#Filezilla|Filezilla]] can be used to interact with an FTP server. Also see these [[FTP_tips|FTP tips]].

==== vsftpd ====
[http://vsftpd.beasts.org/ vsftpd] is an FTP server available in (K)Ubuntu. For configuration information, see the [https://help.ubuntu.com/12.10/serverguide/C/ftp-server.html official Ubuntu documentation]. Install:
sudo apt-get install vsftpd

==== proftpd ====
[http://www.proftpd.org/ Proftpd] is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the [https://help.ubuntu.com/community/ProFTPD Ubuntu Community documentation]. Install:
sudo apt-get install proftpd-basic

=== WebDAV ===
[[File:Prefapp1.png|18 px]] [http://en.wikipedia.org/wiki/WebDAV WebDAV] is a method for allowing remote access to local folders via an HTTP-based web browser or file manager. This can be combined with user authentication (using LDAP or other password mechanism).

* See [[WebDAV|this page]] for instructions.

== Local Area Network ==
== Modems / Dial-up ==
Network Manager does not accept modem connections. See [https://help.ubuntu.com/10.10/internet/C/modem.html Ubuntu help] for information on identifying and connecting with a modem. These instructions require gnome-network-admin (install while connected to a wired ethernet connection):
sudo apt-get install gnome-network-admin

=== Gnome PPP and wvdial ===
[http://en.wikipedia.org/wiki/Gnome-ppp Gnome PPP] is a discontinued GUI frontend for the [http://alumnit.ca/wiki/index.php?page=WvDial wvdial] PPP modem dialer. It is still available as a package. Install:
sudo apt-get install gnome-ppp wvdial

See [http://ubuntuforums.org/showthread.php?t=931872 this forum thread] for tweaks required to make Gnome PPP and wvdial operational in Lucid.

=== GPPP ===
GPPP was the default modem dialing application in previous versions of Ubuntu.

:Menu -> Applications -> Internet -> GPPP Internet Dial-up

= Remote Access =
There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

== SSH ==
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

=== Connect to a remote SSH server ===
==== From the command-line terminal ====
Install the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 OpenSSH] client (if not already installed):
sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C <username>@<computer name or IP address>

:Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz

:or:

ssh -C mike@192.168.1.1

:or
ssh -C 192.168.1.1 -l mike

:Note: -l specifies the login id.

If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022

:or

ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/''user''/.ssh. The key should be accessible only to ''user''
sudo chmod 600 /home/''user''/.ssh/identity

:or

sudo chmod 600 /home/''user''/.ssh/id_rsa

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

==== Port forwarding through SSH ====
* See [[Using_SSH_to_Port_Forward|Using SSH to Port Forward]] for full details.

* In brief, use
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port.
To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
krdc vnc://localhost:<local port>

Note: ''localhost'' is equivalent to (and interchangeable with) ''127.0.0.1''. Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as [[#X11VNC_Server|X11VNC]]) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote '''computer''' (such as 192.168.1.155) instead of the remote '''router''''s IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

''Example'':
For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155. I have set up an [[#X11VNC_Server|X11VNC server]] on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

=== PuTTY ===
[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage [[#OpenSSH Public Key Authentication|OpenSSH]] is generally recommended instead).
sudo apt-get install putty putty-tools

* To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use [http://linux.die.net/man/1/puttygen Puttygen] (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend [[#OpenSSH Public Key Authentication|OpenSSH keygen]] for routine usage instead):
puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
puttygen putty_rsa.ppk -O private-openssh -o id_rsa

* Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/''user''/.ssh) folder
mv id_rsa* ~/.ssh

* [[#OpenSSH Public Key Authentication|Copy the public key]] ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:

ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

* Connect a VNC client (such as Krdc) through SSH using the command-line:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22''
krdc vnc://127.0.0.1:5900

:or as a single command:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22'' sleep 5; krdc vnc://127.0.0.1::5900

* Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

==== Using keys created by Puttygen in OpenSSH ====
The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see [http://unixwiz.net/techtips/putty-openssh.html this tutorial]), the public key looks like:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100302"
AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6k
unPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYD
ZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9
YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvC
bYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykee
RwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
---- END SSH2 PUBLIC KEY ----

* To be used by OpenSSH, the saved public key must be edited.
:* Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
:* Join the remaining lines into a single line.
:* Place ssh-rsa at the beginning.
:* It should end up looking like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==

* Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

=== Connect using SSH Agent ===
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See [http://kimmo.suominen.com/docs/ssh/#ssh-agent this tutorial].

Also see this alternative simple approach: [[#Connect with SSH and start an application with a single command|Connect with SSH and start an application with a single command]].

=== Setup an SSH server ===
[[File:Prefapp1.png|18 px]] Install the [https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html OpenSSH] server:
sudo apt-get install openssh-server

:or
sudo apt-get install tasksel
sudo tasksel install openssh-server

Note: The OpenSSH server can also be installed when doing a [[Kubuntu_Quantal_Servers#Servers|server]] installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See [http://pigtail.net/LRP/printsrv/cygwin-sshd.html these instructions].

* Don't forget to forward the port on which your OpenSSH server is listening. The default SSH port is 22; if the default is used, the router should therefore forward port 22 to the computer on the LAN that is hosting the OpenSSH server. The OpenSSH listening port can be changed; in fact, each computer on the LAN can listen on its own unique SSH port, if desired. The router must forward each specified listening port to the correct computer. Therefore, if computer 1 has its OpenSSH server set to listen on port 22221, then the router should forward port 22221 to computer 1's LAN IP address. If computer 2 has its OpenSSH listening port set to 22222, then obviously the router must forward port 22222 to computer 2's LAN IP address. To change the listening port of the OpenSSH server, edit the /etc/ssh/sshd_config file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/ssh/sshd_config

and change the listening port from 22 to your desired listening port:
Port ''22221''

then restart the OpenSSH server:
sudo /etc/init.d/ssh restart

:* For greater port security (and to minimize [http://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]), consider using [[Kubuntu_Quantal_Network_Management#Knockd_.28Port_security.29|Knockd]].

==== Limit authorized SSH users ====
* See [[Limit_the_user_accounts_that_can_connect_through_OpenSSH_remotely|Limit the user accounts that can connect through OpenSSH remotely]]

==== OpenSSH Public Key Authentication ====
See this [http://sial.org/howto/openssh/publickey-auth/ OpenSSH Public Key Authentication Tutorial].

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/''user''/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

:*The private key must only be accessible (and should be read-only) to ''user'', the owner of the file:
chmod 600 /home/''user''/.ssh/id_rsa

::You could also make the entire .ssh folder accessible only to ''user'':

chmod 700 /home/''user''/.ssh

* Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

:* The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.):
cd ~/.ssh
chown ''serveruser'' id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys

* Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config

:*Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys

* Remove the ability to login to the OpenSSH server using password authentication:
sudo nano /etc/ssh/sshd_config

:*Change the line
#PasswordAuthentication yes
:to
PasswordAuthentication no

* Restart the OpenSSH server:
sudo /etc/init.d/ssh restart

* Now you can connect securely with an SSH tunnel without requiring a password, logging in as ''serveruser''.

ssh -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p ''22''

==== Connect with SSH and start an application with a single command ====
* If you have created an [[#OpenSSH Public Key Authentication|OpenSSH key pair]] (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p 22 sleep 5; krdc vnc://127.0.0.1::5900
:* Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

* Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

==== Automate SSH connections that require a password ====
This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the [[#OpenSSH Public Key Authentication|OpenSSH key pair]] methods described above, instead. This method is listed here for reference.

* Terminal interactions (such as the SSH password challenge) can be automated using the [http://linux.die.net/man/1/expect expect] utility. Install:
sudo apt-get install expect

* If, for example, your SSH client ID is ''clientuserID'', yourpassword is ''not#1sostrong'', and the remote SSH server is ''remoteserver.computer.xyz'' (using the default SSH port of ''22''), then use this command to start the SSH tunnel:

expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. ''5900'' and ''5901'' are the ports to be used on either side of the tunnel (port ''5900'' is used for VNC, for example). See [[#Port_forwarding_through_SSH|Port forwarding through SSH]] for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).

== VNC ==
Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as [[#X11VNC_Server|X11VNC]], [[#Vino Remote Desktop VNC server|Vino]], or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as [http://www.uvnc.com/docs/uvnc-viewer.html UltraVNC Viewer].)

=== Vino Remote Desktop VNC server ===
Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

:Menu -> System -> Preferences -> Remote Desktop

* You can accept uninvited connections in the Security section. You can require a password for these connections.
* This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use [[#X11VNC_Server|X11VNC]] instead.

* A user can connect using [[#Vinagre VNC client|Vinagre]], the [[#Terminal Server Client|Terminal Server Client]], or any other VNC client.

==== How to securely use VNC with SSH tunneling ====
It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under [[#Port forwarding through SSH|SSH port forwarding]], the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

=== X11VNC Server ===
[[File:Prefapp1.png|18 px]] While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.
* Install an X11VNC server to share your desktop with other computer:
sudo apt-get install x11vnc

* Run X11VNC without a password:
x11vnc -forever -rfbport 5900

:Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See [http://www.karlrunge.com/x11vnc/x11vnc_opts.html here] for more command line options.

* Create a password to use with X11VNC:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass

* X11VNC can then be started with a password:
x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0

* You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.config/autostart/x11vnc.sh
chmod +x ~/.config/autostart/x11vnc.sh

:* You can test the startup script:
~/.config/autostart/x11vnc.sh

==== Using VNC with SSH ====
See [[#Port forwarding through SSH|Port forwarding through SSH]] for additional information.

=== Vinagre VNC client ===
[http://library.gnome.org/users/vinagre/stable/index.html.en Vinagre] is the default Gnome-based VNC client used in Ubuntu.
* Menu -> Applications -> Internet -> Remote Desktop Viewer

=== Terminal Server Client ===
The Terminal Server Client is an Ubuntu/Gnome frontend for [http://www.rdesktop.org/ rdesktop] (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.
* Menu -> Applications -> Internet -> Terminal Server Client

* To use it with VNC, one of the VNC clients must be installed first. For example, install the [http://www.tightvnc.com/ TightVNC] client:
sudo apt-get install xtightvncviewer

:*Note that the TightVNC client can be used from the command line (or as a menu item) directly:
vncviewer ''192.168.0.12''::''5900''

:where ''192.168.0.12'' is an example ''host'' location that is running a VNC server on port 5900. For more command-line options, use
man vncviewer

=== Krdc VNC client ===
[[File:Prefapp1.png|18 px]] Krdc is the default VNC client in Kubuntu/KDE but can be used in GNOME. It can be used for both VNC and RDP connections. Installing it will also install the Qt platform and many KDE utilities (a large download).
sudo apt-get install krdc

* Run:
:Menu -> Applications -> Internet -> Krdc

* The command-line connection (for use as a menu-item, for example) is:
krdc vnc://<remote IP>

* If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc vnc://<remote IP>:<remote port>

* Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol).
krdc rdp://<remote IP>:<remote port>

==== Using a VNC client with SSH ====
See [http://jeltsch.org/node/209 this howto] for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an [[#Port forwarding through SSH|SSH tunnel with port forwarding]] using Putty or the command line:
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
::then you would start a VNC client such as Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use
krdc vnc://localhost

=== XVNC4Viewer VNC Client ===
XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:
sudo apt-get install xvnc4viewer

=== Automatic user login (for use with VNC) ===
VNC only works if a user is logged in. When a computer (hosting one or more servers) is intended to start up unattended and VNC (with or without SSH tunneling) is to be used, the computer ought to start with the primary user logged in. To accomplish this:
:Menu -> System -> System Settings -> Login Manager -> Convenience -> Enable Auto-Login (''ticked'') -> Lock session (''ticked'')
::-> Pre-select user: Specified: ''Choose primary user'' (i.e. the user hosting the SSH tunnel, if any, and the VNC server)
::-> Automatically log in again after X server crash (''ticked'')

* Also make sure the VNC server is set to Autostart at bootup.

== FreeNX ==
[https://help.ubuntu.com/community/FreeNX FreeNX] is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

=== FreeNX Server ===
The Free server .deb package can be downloaded from [http://www.nomachine.com/select-package.php?os=linux&id=1 No Machine free server downloads].

* Alternatively, [[Ubuntu:Quantal#Add Extra (K)Ubuntu Repositories|add the following repositories]]:
<del>sudo add-apt-repository ppa:freenx-team</del>

* Install the package:
<del>sudo apt-get update</del>
<del>sudo apt-get install freenx</del>

A FreeNX package / repository is not currently available for Quantal.

=== FreeNX Client ===
Download the self-installing .deb file from [http://www.nomachine.com/select-package-client.php No Machine Client downloads].

== XDMCP ==
[http://www.tldp.org/HOWTO/XDMCP-HOWTO/index.html XDMCP] allows a separate remote login by an authorized user. This login is separate from the local user.
*XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:

gedit /etc/gdm/custom.conf

* Find and change (or add) the line from false to true so that it reads:

[Xdmcp]
Enable=true

=== Telnet ===
SSH is, basically, secure Telnet.

== VPN clients ==
A [http://en.wikipedia.org/wiki/Virtual_private_network VPN] (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.
=== VPN through Network Manager ===
* The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get install network-manager-vpnc

* To connect to a VPN network using OpenVPN (SSL), install the plugin:
sudo apt-get install network-manager-openvpn

* To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp

* Configure:
::Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

=== vpnautoconnect (vpn daemon) ===
[http://sourceforge.net/projects/vpnautoconnect/ vpnautoconnect] is a daemon to allow automatic vpn connections through Network Manager. [http://sourceforge.net/projects/vpnautoconnect/files/ Download] and install the .deb package for your OS version.

=== Other VPN clients ===
Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):
:* [http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc vpnc], [http://grml.org/online-docs/grml-vpn.8.html grml-vpn] -- for Cisco-compliant (IPSec) VPN networks
:* [http://www.openswan.org/ openswan] -- for IPSec (OpenSwan) VPN networks
:* [http://pptpclient.sourceforge.net/ pptp-linux] -- for PPTP (MS Windows-compliant) VPN networks
:* [http://openvpn.net/ openvpn], gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

== VPN servers ==
=== OpenVPN ===
[http://openvpn.net/ OpenVPN] is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):
sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:
sudo apt-get install gadmin-openvpn-server

Also see [[OpenVPN_server|these installation tips]].

=== Poptop (PPTP Server) ===
[http://poptop.sourceforge.net/ Poptop] is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:
sudo apt-get install pptpd

=== OpenSwan ===
[http://www.openswan.org/ OpenSwan] is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:
sudo apt-get install openswan linux-patch-openswan

= Security =
Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to [http://www.psychocats.net/ubuntu/security#bestpractices Ubuntu Security Best Practices] is available. Recommended reading includes the book ''[http://www.harpercollins.com/books/9780061962233/Cyber_War/index.aspx Cyber War]'' by [http://en.wikipedia.org/wiki/Richard_A._Clarke Richard Clark] and [http://news.cnet.com/8301-27080_3-20004505-245.html this interview] with Joe Weiss (IT advisor for the energy-sector smart grid). Also read [http://money.cnn.com/2013/04/08/technology/security/shodan/index.html?iid=HP_LN read this CNN Money article].

== Firewall ==
Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify [http://en.wikipedia.org/wiki/Iptables iptables], which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.) Also see the [https://help.ubuntu.com/12.04/serverguide/firewall.html official Ubuntu documentation].

=== Firestarter ===
[[File:Prefapp1.png|18 px]] [http://www.fs-security.com/ Firestarter] is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI.
sudo apt-get install firestarter

==== Firestarter fails to open system log ====
This is a problem in Quantal. See the [[Syslogd_to_rsyslog|solution here]].

=== Guarddog ===
[http://www.simonzone.com/software/guarddog/ Guarddog] is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners.
sudo apt-get install guarddog

=== Uncomplicated Firewall ===
[http://wiki.ubuntu.com/UncomplicatedFirewall Uncomplicated Firewall] is installed in (K)Ubuntu by default, but all ports are open initially. It is configurable through the [[Kubuntu_Quantal_Introduction#General_Notes|command-line interface]]. See [http://ubuntuforums.org/showthread.php?t=823741 this forum thread], [http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html or this usage tutorial], or [https://help.ubuntu.com/community/UFW Ubuntu community help] for tips on how to set up and use it.
If not installed, it can be installed:
apt-get install ufw

==== Gufw ====
[http://gufw.tuxfamily.org/index.html Gufw] is a graphical user interface for Uncomplicated Firewall. Install:
sudo apt-get install gufw

== Anti-virus ==
* If you are running a file server, interface frequently with Windows drives or share files with Windows users, or use virtualization, you will want a virus checker for your Windows files.

* Despite extensive minsinformation, Linux is not immune from malware (witness the explosion of malware being created for the Linux-based Google Android systems). The malware is not usually spread within the OS itself (as long as the OS is a well-respected distribution obtained through official channels), but in trojan programs downloaded and installed by users outside of the normal software distribution channels (i.e. repositories) of the OS. There is always a danger to using programs downloaded from the Internet from sources other than respected repositories -- it is the primary reason that Debian and (K)Ubuntu retain tight control over their software repositories.

* Any file can have malware embedded in it (which is trivial to achieve by concatenation, for example: ''cat originalfile.avi malware.exe > originalfileplusmalware.avi''). The question is whether a user will try to open a file with a program (such as a media player) that has been compromised in a way that allows it to execute the code found in the infected media (e.g. .avi) file. This can occur not only for Windows users but for any OS (including Mac OSX and Linux) with a compromised program (e.g. media player). An example is the extensive problems the Mac OS community is currently having with the Flash player.

* Routine scanning of any file downloaded from the Internet, any file imported from another user's computer (even a trusted source, since their attention to virus prevention may not be as compulsive as yours), or any attachment received in an email (even from a trusted sender) should be done with an anti-virus program.

=== ClamAV ===
[[File:Prefapp1.png|18 px]] [http://www.clamav.net/ ClamAV] is the open source virus tool for Linux. To install ClamAV:
sudo apt-get install clamav

* If an error is returned: "The database directory must be writable for UID 1000 or GID 1000" in order for the virus database to be updated, then change the ownership of the installation directory (/var/lib/clamav):
sudo chown 1000 /var/lib/clamav

==== ClamTk (ClamAV GUI) ====
[http://clamtk.sourceforge.net/ ClamTk] is a GTK-based GUI frontend for ClamAV. Install:
sudo apt-get install clamtk

=== AVG ===
[http://free.avg.com/us-en/download.prd-afl AVG] offers a free virus scanner for Linux in a .deb package. Download and install from the website.
=== Avast ===
[http://www.avast.com/linux-home-edition Avast] offers a Linux edition (for home users only) in a .deb package. Download and install from the website.

== Anti-spam ==
=== Spam Assasin ===
[http://spamassassin.apache.org/ SpamAssasin] is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:
sudo apt-get spamassassin

== Rootkit checkers ==
[http://en.wikipedia.org/wiki/Rootkit Rootkits] are malicious [http://en.wikipedia.org/wiki/Trojan_horse_(computing) trojan]-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a [[Kubuntu_Quantal_System_Backup#Run_.28K.29Ubuntu_LiveCD_from_a_USB_pendrive|USB pendrive with an Ubuntu LiveCD installation]]. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).
=== Chkrootkit ===
[http://www.chkrootkit.org/ Chkrootkit] checks locally for signs of a rootkit. See the [http://www.chkrootkit.org/README chkrootkit manual] for usage instructions.
:Install:
sudo apt-get install chkrootkit
:Run:
sudo chkrootkit

=== Rootkit Hunter ===
[http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit Hunter] is compatible with (K)Ubuntu systems. See the [http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 usage instructions].
:Install:
sudo apt-get install rkhunter
:Run:
sudo rkhunter

=== Malicious commands to avoid ===
There are many [[Malicious_Linux_Commands|malicious commands]] to be avoided in Linux (as in all operating systems). It is worthwhile to be aware of these dangerous commands so that they are not executed by accident or by malicious advice.

== USB drives ==
USB drives are a major source of security risk and means of data theft.

* An administrator password should be set for the computer BIOS and booting from a USB drive or CD/DVD should be disabled. (Otherwise, any passerby can boot their own OS and then use it to steal data from the hard drive.)

* See [http://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/ this article] for methods of restricting USB usage to authorized users.

== Prevent unauthorized boots and system access ==
Many computers are kept in places where casual passersby may have an opportunity to access the computer, unobserved for short periods. In addition to physical precautions to prevent or slow computer theft (such as locked cases, alarms, and security cables similar to those used to slow bicycle theft), [http://www.pcworld.com/article/114727/lock_down_your_pc.html precautions] should be taken to prevent an unauthorized operating system from being booted using an external device (such as USB drive). Once such as external OS is booted, it can be used to access most hard drive(s) on the computer and the contents copied to a second external device (to be examined or unencrypted later). This is a common means of data theft that is fast and easy to accomplish, and means to deter it should be taken on any public or semi-public computer.

* Set BIOS to restrict bootup to the hard drive only.
:* Set a Supervisor/Administrator password for your computer's BIOS. (I recommend writing it down and taping it to the inside cover of the computer case prior to locking the computer case.) Disable booting from all devices except the hard drive. Setting the hard drive as the first priority boot device is not enough, as most current BIOS menus allow manual selection of any enabled boot devices. Only the hard drive should be left enabled.

* Enable Hard Drive locking, if your computer's BIOS allows it. Most hard drives allow a password to be set by the BIOS and stored in a chip on the hard drive controller which can only be reset by disassembling the hard drive. (Some manufacturers provide a backdoor security key, however.) BIOS versions found on newer computers/laptops allow this password to be set in the BIOS, so that only a BIOS containing the correct password can unlock the hard drive. (If the hard drive is then removed from the computer, it cannot be accessed by any BIOS that does not have the correct password or backdoor security key.) Note, however, that this precaution does not protect against booting from external devices if the BIOS is still set to allow that.
:* There is a risk to this security measure. If you forget the password and the BIOS passwords somehow get reset, the hard drive would become inaccessible. The BIOS and Hard Drive password(s) should always be stored in a safe location.

* Password protect the Grub bootloader. Without password protection, Grub can be used to circumvent BIOS restrictions. See this section for [[Kubuntu_Quantal_System_Administration#Protecting_Grub_Legacy_from_cracking|Grub Legacy]] and this section for [[Kubuntu_Quantal_System_Administration#Protecting_Grub2_from_cracking|Grub2]].

* Make sure all user accounts are protected by a [[Kubuntu_Quantal_Privacy#Passwords_and_file_authentication|password]], and always require passwords for login. Never create an "administrator" user account (hidden or not) and leave it unprotected by a password. Never enable automatic login without a password to any user account.
:* It is possible to enable [[Kubuntu_Quantal_Tips#Automatic_user_login|automatic login]] to a preferred password-protected user account while simultaneously enabling a password-protected screensaver (the password for which must still be entered even before initial user access). This is a reasonable solution that offers protection while still allowing automatic login.

* Make sure a password-protected [[Kubuntu_Quantal_Utilities#Screensavers|screensaver]] is always enabled (that will engage after a reasonably short period of inactivity).

Template:K Raring/Networking

Perspectoff — Sun, 19 May 2013 12:20:32 GMT

Perspectoff: /* Prevent unauthorized boots and system access */

= Networking =
Only one network manager and GUI interface can be enabled. Network-Manager is installed by default and works for both wired and wireless connections, and for both static and dynamic (DHCP-assigned) IP addresses. In the past, some users have preferred the [http://wicd.sourceforge.net/ Wicd] network manager, however, and it can be installed instead.

== Network Manager ==
[http://en.wikipedia.org/wiki/NetworkManager Network Manager] is the network manager installed by default in (K)Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or a wired connection).

* After installation on my system with a wired ethernet connection and manual settings for /etc/network/interfaces, Network Manager was disabled by default ("unmanaged") at installation. To activate Network Manager and allow it to manage networking settings, I edited a file (following the advice in [http://ubuntuforums.org/showthread.php?t=1451064 this thread]):
kdesudo kate /etc/NetworkManager/NetworkManager.conf

and changed the following section so that it read ''true'' instead of ''false'':
[ifupdown]
managed=true

Also, I double checked the /var/lib/NetworkManager/NetworkManager.state file to make sure that Networking was enabled:
[main]
NetworkingEnabled=true

I then restarted Network Manager:
sudo /etc/init.d/network-manager restart

* When using Network Manager to manage the settings, the default setting is to obtain an IP address from the DHCP server on the network. However, I customised the Wired Connection to accept my static IP address as a "manual" (IPv4) IP address and set my custom DNS servers (I don't use the DNS servers of my ISP for security reasons) and a random MAC address (which I change periodically to limit tracking).

* Raring is the first version of Kubuntu in which Network Manager reliably worked for me on both wired and wireless connections. When installing on a laptop with a wireless connection, it worked (in DHCP mode) without any additional configuration. Settings could then be set through the Network Manager plasma widget on the panel bar, including the ability to manually configure a static IP address for the wireless connection, as well.

== Wicd Network Manager ==
[[File:Prefapp1.png|18 px]] [http://wicd.sourceforge.net/ Wicd Network Manager] is a GTK-dependent networking manager written in Python that can be used in all variants of (K)Ubuntu. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation.
sudo apt-get remove network-manager network-manager-pptp plasma-widget-networkmanagement network-manager-kde
sudo reboot
sudo apt-get install wicd

Note: You must have a wired connection in order to install Wicd. Either install it prior to removing Network Manager or be sure the /etc/network/interfaces configuration file is properly configured manually so the default network interface allows you to access the Internet through a wired connection:
kdesudo kate /etc/network/interfaces

and remove the ''#NetworkManager#'' comments, if present and makes sure the file contents resemble:

# The loopback network interface
auto lo
iface lo inet loopback
#
# The primary network interface
auto eth0
iface eth0 inet dhcp

Then restart networking:
sudo /etc/init.d/networking restart

This restores the default networking, and then Wicd can be installed. Once Wicd is installed, the connection settings can be changed through Wicd.

== Set a static IP address ==
* Raring is the first version of Kubuntu in which I have been able to get Network Manager to accept my static IP address settings (for both wired and wireless connections).
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> IPv4 address -> Method: Manual -> IP Address: ''192.168.0.111'' -> Subnet Mask: ''255.255.255.0'' -> Gateway: ''192.168.0.1'' -> OK

:I also add the DNS servers I like to use (I don't use the DNS servers of my ISP for [[Kubuntu_Raring_Privacy#DNS_Servers_and_Search_engines|security]] reasons).

* If you only use only a wired interface, you do not need a network manager and it can be removed if desired. Doing so requires configuring the networking settings manually.

:* In Raring, Network Manager does not need to be removed if manual settings are used in /etc/network/interfaces. To allow the settings to take effect (and the network connection to be "unmanaged" by Network Manager), edit /etc/NetworkManager/NetworkManager.conf:

sudo kate /etc/NetworkManager/NetworkManager.conf

and change the following section so that it reads ''false'':
[ifupdown]
managed=''false''

Then restart Network Manager:
sudo /etc/init.d/network-manager restart

:* Edit the /etc/network/interfaces file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces

:* and replace the line (ok if line is missing)
iface eth0 inet dhcp

:* with the following lines (using your own LAN settings and desired DNS-nameservers, of course):
auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

:* Then restart networking:
sudo /etc/init.d/networking restart

:* Check to see if your settings are now correct:
ifconfig

* The [[#Wicd_Network_Manager|Wicd]] network manager also allows a wireless connection to have a static IP.

=== Manual configuration from the command-line ===

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

sudo mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
sudo echo network = { > wpa_supplicant.conf
sudo echo ssid="SSID" >> wpa_supplicant.conf
sudo echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
sudo echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
sudo echo } >> wpa_supplicant.conf
cd /etc/network
sudo gedit interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." :

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file and restart your system.

== Internet connection sharing (DHCP server) ==
In most LANs, an inexpensive router is used to provide [http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol DHCP] functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your [http://en.wikipedia.org/wiki/Local_area_network LAN] if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to [[#Using a nested wireless LAN router|nest LANs]]). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range ''10.0.0.1 - 10.0.0.250'' with netmask ''255.255.255.0'' and gateway ''10.0.0.1''). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet ([http://en.wikipedia.org/wiki/Wide_area_network WAN]) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see [[#Using a nested wireless LAN router|using a nested wireless LAN router]] below.)

(Note: If you want your LAN to use the same subnet as your WAN, see [[#Network Interfaces Bridging|network interface bridging]].)

* Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter

* Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd

* Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server

::Change the line
INTERFACES=""
::to
INTERFACES="eth0"

* Restart the DHCP server:
sudo dhcpd restart

* Right click on Network-Manager -> Edit Connections... -> Wired -> Add
: -> Connection name: ''Shared internet connection''
: -> IPv4 Settings -> Method: Manual -> Add
: -> Address: ''10.0.0.1'' -> Netmask: ''255.255.255.0'' -> Gateway: 0.0.0.0
: -> Available to all users: [x]

* Attach the ethernet cable to (eth0).
:Network-Manager -> Wired Networks -> ''Shared internet connection''

* Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter

:* Tell the firewall which port is your direct Internet Connection:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Internet connected network device: (wlan0)
:-> IP address is assigned by DHCP: [x]

:* Tell the firewall which port is for the LAN, and specify the details for the LAN:
Firestarter -> Preferences -> Firewall -> Network Settings ->
Local network connected device: (eth0)
:-> Enable internet connection sharing: [x]
:-> Enable DHCP for the local network: [x]
:: -> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: ''10.0.0.2''
:: -> Highest IP address to assign: ''10.0.0.250'' -> Name server: <dynamic>

:Note: Use your own desired LAN settings (internal [http://en.wikipedia.org/wiki/Static_IP#Static_and_dynamic_IP_addresses DHCP-assigned dynamic IP] address range), of course. In this example I don't use the full IP range ''10.0.0.2 - 10.0.0.255'' for dynamic IP addresses because I want to reserve some LAN addresses (''10.0.0.251 - 10.0.0.255'') to be used as static IP addresses).

* Notes:
:* If you wish to use this setup all the time, make the "''Shared internet connection''" profile your default connection profile in Network Manager.

=== Using a nested wireless LAN router ===
Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as '''nested LANs'''. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range ''10.0.0.1 - 10.0.0.255'' (with netmask ''255.255.255.0''), as in the above example. The router's nested wireless LAN must then use a different IP range (for example ''192.168.0.1 - 192.168.0.255'' with netmask ''255.255.255.0'').

* Do not use your wireless router's WAN (Internet) port.
* Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
* Configure your wireless router's LAN so that it appears to be a ''single device'' to the main LAN:
:* Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. ''10.0.0.254''), and make sure the subnet mask matches the one you chose for your main LAN (e.g. ''255.255.255.0''). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. ''10.0.0.1'' in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
:* If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of ''192.168.0.1'' (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be ''192.168.0.2'' or greater. (Some routers ask you to specify the entire range (such as ''192.168.0.2 - 192.168.0.255''.)
* Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP ''192.168.0.1'') instead of from the main LAN gateway.
* Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
* Note: The host computer for the main LAN must have a static IP address (e.g. ''10.0.0.1'' as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

=== Network Interfaces Bridging ===
* Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils

* Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:
auto eth0
iface eth0 inet manual
#
auto br0
iface br0 inet dhcp
#
bridge_ports eth0 wlan0
#
# The loopback network interface
auto lo
iface lo inet loopback

* Restart networking with:
sudo /etc/init.d/networking restart

== Using Dynamic IP addresses for a webserver ==
Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment static IP address], then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is [http://en.wikipedia.org/wiki/IP_address#IP_address_assignment dynamic] (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a Dynamic DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few Dynamic DNS services that will do this for you, either for a small fee or even for free. For more info, see [https://help.ubuntu.com/community/DynamicDNS this Ubuntu Community help] article.

For specific tips on setting up Dynamic DNS, see [[Dynamic IP servers|this article]].

== Filesharing ==

=== NFS ===
NFS is the default networking protocol for network file sharing in *nix systems (including (K)Ubuntu Linux). Here are some tips for setting up NFS from the [http://mostlylinux.wordpress.com/network/nfshowto/ Little Girl's Mostly Linux Blog].

=== Samba File Sharing ===

==== Samba client ====
Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu and should work seamlessly (unless you have have a firewall blocking the ports).

==== Samba server ====
[http://www.samba.org/ Samba] provides file/print services for the SMB/CIFS protocol used in Windows-based networks. See the [https://help.ubuntu.com/10.10/serverguide/C/windows-networking.html official Ubuntu documentation] for more information about providing services in a Windows network. A Samba server can be installed using the tasksel option during installation of the Ubuntu [[Kubuntu_Raring_Servers#Servers|server]] from the LiveCD, or at any time using:
sudo tasksel install samba-server

* An alternative method of installation is:
sudo apt-get install samba samba-tools system-config-samba smbfs

:Note: samba-tools, system-config-samba, and smbfs are optional.

* Modify Samba settings.
:*Method 1:

:Menu -> System -> Administration -> Samba
:(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare [[Kubuntu_Raring_User_Administration#Users_and_Groups|group]], as well.

:* Method 2:
:Enable File Sharing Server With User Login (Very Reliable Method)

:Do the following on the machine that has the files to be shared:

::* Add current user to Samba:
sudo smbpasswd -a username
::(replacing username with your login username)

::* Open the samba config file:

sudo nano /etc/samba/smb.conf

::* Add the directories to be added (right at the end) in the following format:

[Pictures]
path = /home/username/<folder_to_be_shared>

::(Replace username with your username and <folder_to_be_shared> with the folder you want to share)

::Press CTRL+X and then Y to save.

::* Restart Samba:
sudo service smbd restart
sudo service nmbd restart

:::Note: Prior versions used:
sudo /etc/init.d/samba restart

* On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server which is serving the folder)

* On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
::(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported [https://bugs.launchpad.net/ubuntu/+source/kdenetwork/+bug/95452 here]. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :
case sensitive
msdfs proxy

==== Change your Workgroup ====
To change your Samba (Windows network) workgroup:
sudo nano /etc/samba/smb.conf

Look for the line:
workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

==== Recognizing Win98 machines ====
Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:
sudo nano /etc/samba/smb.conf
Then add the following lines to the file:
[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no

=== Integrating into Mac OS X Network ===
See [http://www.zaphu.com/2008/04/30/five-guides-on-how-to-integrate-ubuntu-into-a-mac-os-x-network/ this guide] for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

=== FTP Server ===
An FTP server allows the easy transfer of files between systems over the network. Clients such as [[Kubuntu_Raring_Internet#Filezilla|Filezilla]] can be used to interact with an FTP server. Also see these [[FTP_tips|FTP tips]].

==== vsftpd ====
[http://vsftpd.beasts.org/ vsftpd] is an FTP server available in (K)Ubuntu. For configuration information, see the [https://help.ubuntu.com/12.10/serverguide/C/ftp-server.html official Ubuntu documentation]. Install:
sudo apt-get install vsftpd

==== proftpd ====
[http://www.proftpd.org/ Proftpd] is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the [https://help.ubuntu.com/community/ProFTPD Ubuntu Community documentation]. Install:
sudo apt-get install proftpd-basic

=== WebDAV ===
[[File:Prefapp1.png|18 px]] [http://en.wikipedia.org/wiki/WebDAV WebDAV] is a method for allowing remote access to local folders via an HTTP-based web browser or file manager. This can be combined with user authentication (using LDAP or other password mechanism).

* See [[WebDAV|this page]] for instructions.

== Local Area Network ==

== Modems / Dial-up ==
Network Manager does not accept modem connections. See [https://help.ubuntu.com/10.10/internet/C/modem.html Ubuntu help] for information on identifying and connecting with a modem. These instructions require gnome-network-admin (install while connected to a wired ethernet connection):
sudo apt-get install gnome-network-admin

=== Gnome PPP and wvdial ===
[http://en.wikipedia.org/wiki/Gnome-ppp Gnome PPP] is a discontinued GUI frontend for the [http://alumnit.ca/wiki/index.php?page=WvDial wvdial] PPP modem dialer. It is still available as a package. Install:
sudo apt-get install gnome-ppp wvdial

See [http://ubuntuforums.org/showthread.php?t=931872 this forum thread] for tweaks required to make Gnome PPP and wvdial operational in Lucid.

=== GPPP ===
GPPP was the default modem dialing application in previous versions of Ubuntu.

:Menu -> Applications -> Internet -> GPPP Internet Dial-up

= Remote Access =
There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

== SSH ==
Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

=== Connect to a remote SSH server ===

==== From the command-line terminal ====
Install the [http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 OpenSSH] client (if not already installed):
sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C <username>@<computer name or IP address>

:Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz

:or:

ssh -C mike@192.168.1.1

:or
ssh -C 192.168.1.1 -l mike

:Note: -l specifies the login id.

If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022

:or

ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/''user''/.ssh. The key should be accessible only to ''user''
sudo chmod 600 /home/''user''/.ssh/identity

:or

sudo chmod 600 /home/''user''/.ssh/id_rsa

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

==== Port forwarding through SSH ====
* See [[Using_SSH_to_Port_Forward|Using SSH to Port Forward]] for full details.

* In brief, use
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port.
To use VNC through the tunnel, you would use an application like Krdc or Vinagre:
krdc vnc://localhost:<local port>

Note: ''localhost'' is equivalent to (and interchangeable with) ''127.0.0.1''. Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as [[#X11VNC_Server|X11VNC]]) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote '''computer''' (such as 192.168.1.155) instead of the remote '''router''''s IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

''Example'':
For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155. I have set up an [[#X11VNC_Server|X11VNC server]] on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

=== PuTTY ===
[http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage [[#OpenSSH Public Key Authentication|OpenSSH]] is generally recommended instead).
sudo apt-get install putty putty-tools

* To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use [http://linux.die.net/man/1/puttygen Puttygen] (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend [[#OpenSSH Public Key Authentication|OpenSSH keygen]] for routine usage instead):
puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
puttygen putty_rsa.ppk -O private-openssh -o id_rsa

* Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/''user''/.ssh) folder
mv id_rsa* ~/.ssh

* [[#OpenSSH Public Key Authentication|Copy the public key]] ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:

ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

* Connect a VNC client (such as Krdc) through SSH using the command-line:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22''
krdc vnc://127.0.0.1:5900

:or as a single command:
putty -ssh -i ~/.ssh/id_rsa -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -P ''22'' sleep 5; krdc vnc://127.0.0.1::5900

* Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

==== Using keys created by Puttygen in OpenSSH ====
The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see [http://unixwiz.net/techtips/putty-openssh.html this tutorial]), the public key looks like:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100302"
AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6k
unPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYD
ZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9
YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvC
bYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykee
RwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
---- END SSH2 PUBLIC KEY ----

* To be used by OpenSSH, the saved public key must be edited.
:* Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
:* Join the remaining lines into a single line.
:* Place ssh-rsa at the beginning.
:* It should end up looking like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==

* Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

=== Connect using SSH Agent ===
With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See [http://kimmo.suominen.com/docs/ssh/#ssh-agent this tutorial].

Also see this alternative simple approach: [[#Connect with SSH and start an application with a single command|Connect with SSH and start an application with a single command]].

=== Setup an SSH server ===
[[File:Prefapp1.png|18 px]] Install the [https://help.ubuntu.com/10.10/serverguide/C/openssh-server.html OpenSSH] server:
sudo apt-get install openssh-server

:or
sudo apt-get install tasksel
sudo tasksel install openssh-server

Note: The OpenSSH server can also be installed when doing a [[Kubuntu_Raring_Servers#Servers|server]] installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See [http://pigtail.net/LRP/printsrv/cygwin-sshd.html these instructions].

* Don't forget to forward the port on which your OpenSSH server is listening. The default SSH port is 22; if the default is used, the router should therefore forward port 22 to the computer on the LAN that is hosting the OpenSSH server. The OpenSSH listening port can be changed; in fact, each computer on the LAN can listen on its own unique SSH port, if desired. The router must forward each specified listening port to the correct computer. Therefore, if computer 1 has its OpenSSH server set to listen on port 22221, then the router should forward port 22221 to computer 1's LAN IP address. If computer 2 has its OpenSSH listening port set to 22222, then obviously the router must forward port 22222 to computer 2's LAN IP address. To change the listening port of the OpenSSH server, edit the /etc/ssh/sshd_config file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/ssh/sshd_config

and change the listening port from 22 to your desired listening port:
Port ''22221''

then restart the OpenSSH server:
sudo /etc/init.d/ssh restart

:* For greater port security (and to minimize [http://en.wikipedia.org/wiki/Brute-force_attack brute-force attacks]), consider using [[Kubuntu_Raring_Network_Management#Knockd_.28Port_security.29|Knockd]].

==== Limit authorized SSH users ====
* See [[Limit_the_user_accounts_that_can_connect_through_OpenSSH_remotely|Limit the user accounts that can connect through OpenSSH remotely]]

==== OpenSSH Public Key Authentication ====
See this [http://sial.org/howto/openssh/publickey-auth/ OpenSSH Public Key Authentication Tutorial].

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:
ssh-keygen

A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/''user''/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

:*The private key must only be accessible (and should be read-only) to ''user'', the owner of the file:
chmod 600 /home/''user''/.ssh/id_rsa

::You could also make the entire .ssh folder accessible only to ''user'':

chmod 700 /home/''user''/.ssh

* Copy the public key ( /home/''user''/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/''serveruser''/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id ''serveruser''@''remoteserver.computer.xyz''

:* The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/''user''/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/''serveruser''/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as ''serveruser'' (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys
Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is ''serveruser''.):
cd ~/.ssh
chown ''serveruser'' id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys

* Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config

:*Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys

* Remove the ability to login to the OpenSSH server using password authentication:
sudo nano /etc/ssh/sshd_config

:*Change the line
#PasswordAuthentication yes
:to
PasswordAuthentication no

* Restart the OpenSSH server:
sudo /etc/init.d/ssh restart

* Now you can connect securely with an SSH tunnel without requiring a password, logging in as ''serveruser''.

ssh -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p ''22''

==== Connect with SSH and start an application with a single command ====
* If you have created an [[#OpenSSH Public Key Authentication|OpenSSH key pair]] (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l ''serveruser'' -L 5900:127.0.0.1:5900 ''remoteserver.computer.xyz'' -p 22 sleep 5; krdc vnc://127.0.0.1::5900
:* Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

* Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

==== Automate SSH connections that require a password ====
This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the [[#OpenSSH Public Key Authentication|OpenSSH key pair]] methods described above, instead. This method is listed here for reference.

* Terminal interactions (such as the SSH password challenge) can be automated using the [http://linux.die.net/man/1/expect expect] utility. Install:
sudo apt-get install expect

* If, for example, your SSH client ID is ''clientuserID'', yourpassword is ''not#1sostrong'', and the remote SSH server is ''remoteserver.computer.xyz'' (using the default SSH port of ''22''), then use this command to start the SSH tunnel:

expect -c 'spawn ssh -l clientuserID -L 5900:127.0.0.1:5901 remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. ''5900'' and ''5901'' are the ports to be used on either side of the tunnel (port ''5900'' is used for VNC, for example). See [[#Port_forwarding_through_SSH|Port forwarding through SSH]] for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).

== VNC ==
Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as [[#X11VNC_Server|X11VNC]], [[#Vino Remote Desktop VNC server|Vino]], or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as [http://www.uvnc.com/docs/uvnc-viewer.html UltraVNC Viewer].)

=== Vino Remote Desktop VNC server ===
Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

:Menu -> System -> Preferences -> Remote Desktop

* You can accept uninvited connections in the Security section. You can require a password for these connections.
* This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use [[#X11VNC_Server|X11VNC]] instead.

* A user can connect using [[#Vinagre VNC client|Vinagre]], the [[#Terminal Server Client|Terminal Server Client]], or any other VNC client.

==== How to securely use VNC with SSH tunneling ====
It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under [[#Port forwarding through SSH|SSH port forwarding]], the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

=== X11VNC Server ===
[[File:Prefapp1.png|18 px]] While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.
* Install an X11VNC server to share your desktop with other computer:
sudo apt-get install x11vnc

* Run X11VNC without a password:
x11vnc -forever -rfbport 5900

:Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See [http://www.karlrunge.com/x11vnc/x11vnc_opts.html here] for more command line options.

* Create a password to use with X11VNC:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass

* X11VNC can then be started with a password:
x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0

* You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.config/autostart/x11vnc.sh
chmod +x ~/.config/autostart/x11vnc.sh

:* You can test the startup script:
~/.config/autostart/x11vnc.sh

==== Using VNC with SSH ====
See [[#Port forwarding through SSH|Port forwarding through SSH]] for additional information.

=== Vinagre VNC client ===
[http://library.gnome.org/users/vinagre/stable/index.html.en Vinagre] is the default Gnome-based VNC client used in Ubuntu.
* Menu -> Applications -> Internet -> Remote Desktop Viewer

=== Terminal Server Client ===
The Terminal Server Client is an Ubuntu/Gnome frontend for [http://www.rdesktop.org/ rdesktop] (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.
* Menu -> Applications -> Internet -> Terminal Server Client

* To use it with VNC, one of the VNC clients must be installed first. For example, install the [http://www.tightvnc.com/ TightVNC] client:
sudo apt-get install xtightvncviewer

:*Note that the TightVNC client can be used from the command line (or as a menu item) directly:
vncviewer ''192.168.0.12''::''5900''

:where ''192.168.0.12'' is an example ''host'' location that is running a VNC server on port 5900. For more command-line options, use
man vncviewer

=== Krdc VNC client ===
[[File:Prefapp1.png|18 px]] Krdc is the default VNC client in Kubuntu/KDE but can be used in GNOME. It can be used for both VNC and RDP connections. Installing it will also install the Qt platform and many KDE utilities (a large download).
sudo apt-get install krdc

* Run:
:Menu -> Applications -> Internet -> Krdc

* The command-line connection (for use as a menu-item, for example) is:
krdc vnc://<remote IP>

* If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc vnc://<remote IP>:<remote port>

* Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol).
krdc rdp://<remote IP>:<remote port>

==== Using a VNC client with SSH ====
See [http://jeltsch.org/node/209 this howto] for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an [[#Port forwarding through SSH|SSH tunnel with port forwarding]] using Putty or the command line:
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
::then you would start a VNC client such as Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use
krdc vnc://localhost

=== XVNC4Viewer VNC Client ===
XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:
sudo apt-get install xvnc4viewer

=== Automatic user login (for use with VNC) ===
VNC only works if a user is logged in. When a computer (hosting one or more servers) is intended to start up unattended and VNC (with or without SSH tunneling) is to be used, the computer ought to start with the primary user logged in. To accomplish this:
:Menu -> System -> System Settings -> Login Manager -> Convenience -> Enable Auto-Login (''ticked'') -> Lock session (''ticked'')
::-> Pre-select user: Specified: ''Choose primary user'' (i.e. the user hosting the SSH tunnel, if any, and the VNC server)
::-> Automatically log in again after X server crash (''ticked'')

* Also make sure the VNC server is set to Autostart at bootup.

== FreeNX ==
[https://help.ubuntu.com/community/FreeNX FreeNX] is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

=== FreeNX Server ===
The Free server .deb package can be downloaded from [http://www.nomachine.com/select-package.php?os=linux&id=1 No Machine free server downloads].

* Alternatively, [[Ubuntu:Raring#Add Extra (K)Ubuntu Repositories|add the following repositories]]:
<del>sudo add-apt-repository ppa:freenx-team</del>

* Install the package:
<del>sudo apt-get update</del>
<del>sudo apt-get install freenx</del>

A FreeNX package / repository is not currently available for Raring.

=== FreeNX Client ===
Download the self-installing .deb file from [http://www.nomachine.com/select-package-client.php No Machine Client downloads].

== XDMCP ==
[http://www.tldp.org/HOWTO/XDMCP-HOWTO/index.html XDMCP] allows a separate remote login by an authorized user. This login is separate from the local user.
*XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:

gedit /etc/gdm/custom.conf

* Find and change (or add) the line from false to true so that it reads:

[Xdmcp]
Enable=true

=== Telnet ===
SSH is, basically, secure Telnet.

== VPN clients ==
A [http://en.wikipedia.org/wiki/Virtual_private_network VPN] (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.
=== VPN through Network Manager ===
* The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get install network-manager-vpnc

* To connect to a VPN network using OpenVPN (SSL), install the plugin:
sudo apt-get install network-manager-openvpn

* To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp

* Configure:
::Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

=== vpnautoconnect (vpn daemon) ===
[http://sourceforge.net/projects/vpnautoconnect/ vpnautoconnect] is a daemon to allow automatic vpn connections through Network Manager. [http://sourceforge.net/projects/vpnautoconnect/files/ Download] and install the .deb package for your OS version.

=== Other VPN clients ===
Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):
:* [http://www.debuntu.org/how-to-connect-to-a-cisco-vpn-using-vpnc vpnc], [http://grml.org/online-docs/grml-vpn.8.html grml-vpn] -- for Cisco-compliant (IPSec) VPN networks
:* [http://www.openswan.org/ openswan] -- for IPSec (OpenSwan) VPN networks
:* [http://pptpclient.sourceforge.net/ pptp-linux] -- for PPTP (MS Windows-compliant) VPN networks
:* [http://openvpn.net/ openvpn], gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

== VPN servers ==

=== OpenVPN ===
[http://openvpn.net/ OpenVPN] is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):
sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:
sudo apt-get install gadmin-openvpn-server

Also see [[OpenVPN_server|these installation tips]].

=== Poptop (PPTP Server) ===
[http://poptop.sourceforge.net/ Poptop] is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:
sudo apt-get install pptpd

=== OpenSwan ===
[http://www.openswan.org/ OpenSwan] is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:
sudo apt-get install openswan linux-patch-openswan

= Security =
Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to [http://www.psychocats.net/ubuntu/security#bestpractices Ubuntu Security Best Practices] is available. Recommended reading includes the book ''[http://www.harpercollins.com/books/9780061962233/Cyber_War/index.aspx Cyber War]'' by [http://en.wikipedia.org/wiki/Richard_A._Clarke Richard Clark] and [http://news.cnet.com/8301-27080_3-20004505-245.html this interview] with Joe Weiss (IT advisor for the energy-sector smart grid). Also read [http://money.cnn.com/2013/04/08/technology/security/shodan/index.html?iid=HP_LN read this CNN Money article].

== Firewall ==
Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify [http://en.wikipedia.org/wiki/Iptables iptables], which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.) Also see the [https://help.ubuntu.com/12.04/serverguide/firewall.html official Ubuntu documentation].

=== Firestarter ===
[[File:Prefapp1.png|18 px]] [http://www.fs-security.com/ Firestarter] is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI.
sudo apt-get install firestarter

==== Firestarter fails to open system log ====
This is a problem in Raring. See the [[Syslogd_to_rsyslog|solution here]].

=== Guarddog ===
[http://www.simonzone.com/software/guarddog/ Guarddog] is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners.
sudo apt-get install guarddog

=== Uncomplicated Firewall ===
[http://wiki.ubuntu.com/UncomplicatedFirewall Uncomplicated Firewall] is installed in (K)Ubuntu by default, but all ports are open initially. It is configurable through the [[Kubuntu_Raring_Introduction#General_Notes|command-line interface]]. See [http://ubuntuforums.org/showthread.php?t=823741 this forum thread], [http://www.ubuntu-unleashed.com/2008/05/howto-take-use-setup-and-advantage-of.html or this usage tutorial], or [https://help.ubuntu.com/community/UFW Ubuntu community help] for tips on how to set up and use it.
If not installed, it can be installed:
apt-get install ufw

==== Gufw ====
[http://gufw.tuxfamily.org/index.html Gufw] is a graphical user interface for Uncomplicated Firewall. Install:
sudo apt-get install gufw

== Anti-virus ==
* If you are running a file server, interface frequently with Windows drives or share files with Windows users, or use virtualization, you will want a virus checker for your Windows files.

* Despite extensive minsinformation, Linux is not immune from malware (witness the explosion of malware being created for the Linux-based Google Android systems). The malware is not usually spread within the OS itself (as long as the OS is a well-respected distribution obtained through official channels), but in trojan programs downloaded and installed by users outside of the normal software distribution channels (i.e. repositories) of the OS. There is always a danger to using programs downloaded from the Internet from sources other than respected repositories -- it is the primary reason that Debian and (K)Ubuntu retain tight control over their software repositories.

* Any file can have malware embedded in it (which is trivial to achieve by concatenation, for example: ''cat originalfile.avi malware.exe > originalfileplusmalware.avi''). The question is whether a user will try to open a file with a program (such as a media player) that has been compromised in a way that allows it to execute the code found in the infected media (e.g. .avi) file. This can occur not only for Windows users but for any OS (including Mac OSX and Linux) with a compromised program (e.g. media player). An example is the extensive problems the Mac OS community is currently having with the Flash player.

* Routine scanning of any file downloaded from the Internet, any file imported from another user's computer (even a trusted source, since their attention to virus prevention may not be as compulsive as yours), or any attachment received in an email (even from a trusted sender) should be done with an anti-virus program.

=== ClamAV ===
[[File:Prefapp1.png|18 px]] [http://www.clamav.net/ ClamAV] is the open source virus tool for Linux. To install ClamAV:
sudo apt-get install clamav

* If an error is returned: "The database directory must be writable for UID 1000 or GID 1000" in order for the virus database to be updated, then change the ownership of the installation directory (/var/lib/clamav):
sudo chown 1000 /var/lib/clamav

==== ClamTk (ClamAV GUI) ====
[http://clamtk.sourceforge.net/ ClamTk] is a GTK-based GUI frontend for ClamAV. Install:
sudo apt-get install clamtk

=== AVG ===
[http://free.avg.com/us-en/download.prd-afl AVG] offers a free virus scanner for Linux in a .deb package. Download and install from the website.

=== Avast ===
[http://www.avast.com/linux-home-edition Avast] offers a Linux edition (for home users only) in a .deb package. Download and install from the website.

== Anti-spam ==

=== Spam Assasin ===
[http://spamassassin.apache.org/ SpamAssasin] is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:
sudo apt-get spamassassin

== Rootkit checkers ==
[http://en.wikipedia.org/wiki/Rootkit Rootkits] are malicious [http://en.wikipedia.org/wiki/Trojan_horse_(computing) trojan]-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a [[Kubuntu_Raring_System_Backup#Run_.28K.29Ubuntu_LiveCD_from_a_USB_pendrive|USB pendrive with an Ubuntu LiveCD installation]]. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).

=== Chkrootkit ===
[http://www.chkrootkit.org/ Chkrootkit] checks locally for signs of a rootkit. See the [http://www.chkrootkit.org/README chkrootkit manual] for usage instructions.
:Install:
sudo apt-get install chkrootkit
:Run:
sudo chkrootkit

=== Rootkit Hunter ===
[http://www.rootkit.nl/projects/rootkit_hunter.html Rootkit Hunter] is compatible with (K)Ubuntu systems. See the [http://sourceforge.net/docman/display_doc.php?docid=35179&group_id=155034 usage instructions].
:Install:
sudo apt-get install rkhunter
:Run:
sudo rkhunter

=== Malicious commands to avoid ===
There are many [[Malicious_Linux_Commands|malicious commands]] to be avoided in Linux (as in all operating systems). It is worthwhile to be aware of these dangerous commands so that they are not executed by accident or by malicious advice.

== USB drives ==
USB drives are a major source of security risk and means of data theft.

* An administrator password should be set for the computer BIOS and booting from a USB drive or CD/DVD should be disabled. (Otherwise, any passerby can boot their own OS and then use it to steal data from the hard drive.)

* See [http://www.cyberciti.biz/faq/linux-disable-modprobe-loading-of-usb-storage-driver/ this article] for methods of restricting USB usage to authorized users.

== Prevent unauthorized boots and system access ==
Many computers are kept in places where casual passersby may have an opportunity to access the computer, unobserved for short periods. In addition to physical precautions to prevent or slow computer theft (such as locked cases, alarms, and security cables similar to those used to slow bicycle theft), [http://www.pcworld.com/article/114727/lock_down_your_pc.html precautions] should be taken to prevent an unauthorized operating system from being booted using an external device (such as USB drive). Once such as external OS is booted, it can be used to access most hard drive(s) on the computer and the contents copied to a second external device (to be examined or unencrypted later). This is a common means of data theft that is fast and easy to accomplish, and means to deter it should be taken on any public or semi-public computer.

* Set BIOS to restrict bootup to the hard drive only.
:* Set a Supervisor/Administrator password for your computer's BIOS. (I recommend writing it down and taping it to the inside cover of the computer case prior to locking the computer case.) Disable booting from all devices except the hard drive. Setting the hard drive as the first priority boot device is not enough, as most current BIOS menus allow manual selection of any enabled boot devices. Only the hard drive should be left enabled.

* Enable Hard Drive locking, if your computer's BIOS allows it. Most hard drives allow a password to be set by the BIOS and stored in a chip on the hard drive controller which can only be reset by disassembling the hard drive. (Some manufacturers provide a backdoor security key, however.) BIOS versions found on newer computers/laptops allow this password to be set in the BIOS, so that only a BIOS containing the correct password can unlock the hard drive. (If the hard drive is then removed from the computer, it cannot be accessed by any BIOS that does not have the correct password or backdoor security key.) Note, however, that this precaution does not protect against booting from external devices if the BIOS is still set to allow that.
:* There is a risk to this security measure. If you forget the password and the BIOS passwords somehow get reset, the hard drive would become inaccessible. The BIOS and Hard Drive password(s) should always be stored in a safe location.

* Password protect the Grub bootloader. Without password protection, Grub can be used to circumvent BIOS restrictions. See this section for [[Kubuntu_Raring_System_Administration#Protecting_Grub_Legacy_from_cracking|Grub Legacy]] and this section for [[Kubuntu_Raring_System_Administration#Protecting_Grub2_from_cracking|Grub2]].

* Make sure all user accounts are protected by a [[Kubuntu_Raring_Privacy#Passwords_and_file_authentication|password]], and always require passwords for login. Never create an "administrator" user account (hidden or not) and leave it unprotected by a password. Never enable automatic login without a password to any user account.
:* It is possible to enable [[Kubuntu_Raring_Tips#Automatic_user_login|automatic login]] to a preferred password-protected user account while simultaneously enabling a password-protected screensaver (the password for which must still be entered even before initial user access). This is a reasonable solution that offers protection while still allowing automatic login.

* Make sure a password-protected [[Kubuntu_Raring_Utilities#Screensavers|screensaver]] is always enabled (that will engage after a reasonably short period of inactivity).

User:Perspectoff

Perspectoff — Sat, 18 May 2013 14:06:26 GMT

Perspectoff: /* Background */

[[File:Science tux.png]]

From 2007 - 2012 I edited the English editions (grammar, spelling, and wiki appearance) of [http://ubuntuguide.org Ubuntuguide] and [http://ubuntuguide.org/wiki/Kubuntuguide Kubuntuguide], with the help of the excellent contributions by the users who added them. In 2012 I merged KubuntuGuide.org / Kubuntuguide.info with UbuntuGuide.org. During the same period I also ran a website called [http://ubuntudoctorsguild.dyndns.org Ubuntu Doctors Guild]. In early 2012 I moved several of my systems to [http://www.debian.org Debian] (with a KDE desktop) while maintaining multiple Kubuntu installations.

As of late 2012 I am only intermittently involved with the maintenance of this website.

I have been interested in distributed networks ("cloud computing") using Debian/Ubuntu/Kubuntu, especially using the Logical Volume Manager, RAID, and datacenter management tools that are useful for small and medium size businesses.

I am also an advocate for open-source (GPL-licensed) software solutions in health care, as a basis for a United States national health care system. I have served on a national standards committee regarding Health Information Technology in the US. A few years ago I created the (K)Ubuntu-derived [http://sourceforge.net/projects/ubuntu-med/ Ubuntu-Med] system (which is no longer maintained in its original form) and have now decided to focus on the [http://debian-med.alioth.debian.org/tasks/ Debian-Med] toolset instead, incorporating generic server functions into it.

== Background ==
I originally wrote software and software documentation for a large aerospace project and then for several military projects.

I was a UNIX and VMS user in the 1980s and networked two large organizations during the network protocol (TCP/IP) standardization period of the late 80s. I then made a detour to MS Windows for 10 years. Recently I have used Debian/(K)ubuntu over the past several years, on a network of triple boot systems (which includes multiple Windows-based boxes).

My home is wired using LinuxMCE (Media Center Edition) 7.10 running on Kubuntu 7.10 (Gutsy), X10 controllers, surveillance cameras and motion detectors, and distributed multimedia.

My medium-large organization (which is healthcare-related) uses Debian/Ubuntu servers with Kolab for groupware, Drupal for collaborative web content, MediaWiki as a wiki, and WorldVistA as an electronic medical record system. We have also used DAViCal as a group calendar server, with Mozilla Thunderbird/Lightning and Sunbird as clients. I have several advanced medical certifications, as well as several other degrees. I regularly collaborate with state and national governmental agencies (in the US) regarding health information technology.

I also regularly contribute to Wikipedia, especially on specialized software topics, including electronic medical records. Most of my philosophy in life comes from [[User:Buckaroo_Banzai|Buckaroo Banzai]]. I currently live and work in Northern California.

== Contact ==
My e-mail is [[File:Perpsectiveoffice_email.png|link=User:Perspectoff#Contact]].<br>
:<center> </center>
My involvement with this website is intermittent; my response time may be slow. Please contact one of the other [[Administrators]]. However, if you are having trouble making a submission to the 'guide, send it to me by email and I'll put it in for you (in a few days). I will also respond to sponsorship requests.<br>

== Wisdom ==
<bashfr />
<br>

== Until the Case is Sol-ved! ==


[[File:Clouseau270.jpg]]
<br><br>
'''Police Chief Lundallah''': He pulled himself across the floor using this wire. How else could he have avoided our radar field?<br>
'''Inspector Clouseau''': Yes, how else? Hmm. Of course, he would have needed a very slippery floor to do that...<br>
'''Police Chief Lundallah''': Therefore the wax.<br>
'''Inspector Clouseau''': The wax? ... AGHH! ''[Clouseau slips on the waxed floor and falls to the ground]''<br>
'''Col. Sharky''': Are you all right, Inspector?<br>
'''Inspector Clouseau''': ''[on his knees]'' Of course I'm alright. I'm... examining the wax. ''[sniffs the wax on the floor]'' Have you taken a sample of this wax?<br>
'''Police Chief Lundallah''': Wax is wax!<br>
'''Inspector Clouseau''': See, this is where you are wrong. Wax is NOT just wax. In this case it is a clue. Domestic wax, Belgian Wax, French Wax, English Wax...<br>
'''Col. Sharky''': Ah, the Inspector is right. Have the wax tested immediately.<br>

== Sandbox ==
A secluded beach on [http://en.wikipedia.org/wiki/Palau#Environment Palau]... or the desert of Black Rock City during [http://www.burningman.com/ Burning Man]... sand is not just sand.<br>

-----------------------------------------------------------------------------

User:Perspectoff

Perspectoff — Sat, 18 May 2013 14:04:37 GMT

Perspectoff:

[[File:Science tux.png]]

From 2007 - 2012 I edited the English editions (grammar, spelling, and wiki appearance) of [http://ubuntuguide.org Ubuntuguide] and [http://ubuntuguide.org/wiki/Kubuntuguide Kubuntuguide], with the help of the excellent contributions by the users who added them. In 2012 I merged KubuntuGuide.org / Kubuntuguide.info with UbuntuGuide.org. During the same period I also ran a website called [http://ubuntudoctorsguild.dyndns.org Ubuntu Doctors Guild]. In early 2012 I moved several of my systems to [http://www.debian.org Debian] (with a KDE desktop) while maintaining multiple Kubuntu installations.

As of late 2012 I am only intermittently involved with the maintenance of this website.

I have been interested in distributed networks ("cloud computing") using Debian/Ubuntu/Kubuntu, especially using the Logical Volume Manager, RAID, and datacenter management tools that are useful for small and medium size businesses.

I am also an advocate for open-source (GPL-licensed) software solutions in health care, as a basis for a United States national health care system. I have served on a national standards committee regarding Health Information Technology in the US. A few years ago I created the (K)Ubuntu-derived [http://sourceforge.net/projects/ubuntu-med/ Ubuntu-Med] system (which is no longer maintained in its original form) and have now decided to focus on the [http://debian-med.alioth.debian.org/tasks/ Debian-Med] toolset instead, incorporating generic server functions into it.

== Background ==
I originally wrote software and software documentation for a large aerospace project and then for several military projects.

I was a UNIX and VMS user in the 1980s and networked two large organizations during the network protocol (TCP/IP) standardization period of the late 80s. I then made a detour to MS Windows for 10 years. Recently I have used Debian/(K)ubuntu over the past several years, on a network of triple boot systems (which includes multiple Windows-based boxes).

My home is wired using LinuxMCE (Media Center Edition) 7.10 running on Kubuntu 7.10 (Gutsy), X10 controllers, surveillance cameras and motion detectors, and distributed multimedia.

My medium-large organization (which is healthcare-related) uses Debian/Ubuntu servers with Kolab for groupware, Drupal for collaborative web content, MediaWiki as a wiki, and WorldVistA as an electronic medical record system. We have also used DAViCal as a group calendar server, with Mozilla Thunderbird/Lightning and Sunbird as clients. I have several advanced medical certifications, as well as several other degrees. I regularly collaborate with state and national governmental agencies (in the US) regarding health information technology.

I also regularly contribute to Wikipedia, especially on specialized software topics, including electronic medical records. Most of my philosophy in life comes from [[User:Buckaroo_Banzai|Buckaroo Banzai]]. I currently live in Northern California.

== Contact ==
My e-mail is [[File:Perpsectiveoffice_email.png|link=User:Perspectoff#Contact]].<br>
:<center> </center>
My involvement with this website is intermittent; my response time may be slow. Please contact one of the other [[Administrators]]. However, if you are having trouble making a submission to the 'guide, send it to me by email and I'll put it in for you (in a few days). I will also respond to sponsorship requests.<br>

== Wisdom ==
<bashfr />
<br>

== Until the Case is Sol-ved! ==


[[File:Clouseau270.jpg]]
<br><br>
'''Police Chief Lundallah''': He pulled himself across the floor using this wire. How else could he have avoided our radar field?<br>
'''Inspector Clouseau''': Yes, how else? Hmm. Of course, he would have needed a very slippery floor to do that...<br>
'''Police Chief Lundallah''': Therefore the wax.<br>
'''Inspector Clouseau''': The wax? ... AGHH! ''[Clouseau slips on the waxed floor and falls to the ground]''<br>
'''Col. Sharky''': Are you all right, Inspector?<br>
'''Inspector Clouseau''': ''[on his knees]'' Of course I'm alright. I'm... examining the wax. ''[sniffs the wax on the floor]'' Have you taken a sample of this wax?<br>
'''Police Chief Lundallah''': Wax is wax!<br>
'''Inspector Clouseau''': See, this is where you are wrong. Wax is NOT just wax. In this case it is a clue. Domestic wax, Belgian Wax, French Wax, English Wax...<br>
'''Col. Sharky''': Ah, the Inspector is right. Have the wax tested immediately.<br>

== Sandbox ==
A secluded beach on [http://en.wikipedia.org/wiki/Palau#Environment Palau]... or the desert of Black Rock City during [http://www.burningman.com/ Burning Man]... sand is not just sand.<br>

-----------------------------------------------------------------------------

Talk:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:39:37 GMT

Perspectoff:

This page contains errors.

Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:

sudo ln -s /etc/apache2/''sites-available''/proxiedhosts /etc/apache2/''sites-enabled''

:not

sudo ln -s /etc/apache2/''sites-enabled''/proxiedhosts /etc/apache2/''sites-enabled''

There's another step above it where the ''proxiedhosts'' file is created in sites-available. [[User:Jebbushell|Jebbushell]] 11:32, 14 May 2013 (UTC)

: Thank you, thank you for being so observant! That is a critical error. I have made the changes exactly as you pointed out. [[User:Perspectoff|Perspectoff]] 22:34, 17 May 2013 (UTC)

Talk:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:38:50 GMT

Perspectoff:

This page contains errors.

Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:

sudo ln -s /etc/apache2/''sites-available''/proxiedhosts /etc/apache2/''sites-enabled''

:not

sudo ln -s /etc/apache2/''sites-enabled''/proxiedhosts /etc/apache2/''sites-enabled''

There's another step above it where the ''proxiedhosts'' file is created in sites-available. [[User:Perspectoff|Perspectoff]] 11:32, 14 May 2013 (UTC)

: Thank you, thank you for being so observant! That is a critical error. I have made the changes exactly as you pointed out. [[User:Perspectoff|Perspectoff]] 22:34, 17 May 2013 (UTC)

Talk:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:37:38 GMT

Perspectoff:

This page contains errors.

Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:

sudo ln -s /etc/apache2/''sites-available''/proxiedhosts /etc/apache2/''sites-enabled''

:not

sudo ln -s /etc/apache2/''sites-enabled''/proxiedhosts /etc/apache2/''sites-enabled''

There's another step above it where the ''proxiedhosts'' file is created in sites-available.

: Thank you, thank you for being so observant! That is a critical error. I have made the changes exactly as you pointed out. [[User:Perspectoff|Perspectoff]] 22:34, 17 May 2013 (UTC)

Talk:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:36:26 GMT

Perspectoff:

This page contains errors.

Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:

sudo ln -s /etc/apache2/''sites-available''/proxiedhosts /etc/apache2/''sites-enabled''

There's another step above it where the ''proxiedhosts'' file is created in sites-available.

: Thank you, thank you for being so observant! That is a critical error. I have made the changes exactly as you pointed out. [[User:Perspectoff|Perspectoff]] 22:34, 17 May 2013 (UTC)

Talk:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:34:55 GMT

Perspectoff:

This page contains errors.

Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:

sudo ln -s /etc/apache2/''sites-enabled''/proxiedhosts /etc/apache2/''sites-enabled''

There's another above it where the proxiedhosts file is created in sites-enabled, not sites-available.

: Thank you, thank you for being so observant! That is a critical error. I have made the changes exactly as you pointed out. [[User:Perspectoff|Perspectoff]] 22:34, 17 May 2013 (UTC)

User talk:Jebbushell

Perspectoff — Fri, 17 May 2013 22:33:38 GMT

Perspectoff: Created page with 'Thank you VERY much for your correction (regarding Apache reverse proxies)! That was an important one! So glad you read that far and corrected the significant error. I have made…'

Thank you VERY much for your correction (regarding Apache reverse proxies)! That was an important one!

So glad you read that far and corrected the significant error. I have made the changes exactly as you said. I noticed you even kept my nomenclature, which is quite observant. Thank you again. [[User:Perspectoff|Perspectoff]] 22:33, 17 May 2013 (UTC)

Template:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:30:58 GMT

Perspectoff: /* Apache2 reverse proxies */

= Apache2 reverse proxies =
This solution solves the problem of having multiple servers on a LAN which has a single router connected to the Internet. The router forwards all port 80 traffic to a single primary server. That server will then be required to act as a proxy for the other servers on the LAN, redirecting incoming traffic addressed to the URLs of those other servers to their respective LAN IP addresses.

This increases the amount of traffic passing through the primary server, so is not a recommended solution for high volume situations unless the primary server is a dedicated gateway/proxy server. (For high volume situations, a [[Ubuntu:All#Reverse_proxy_Servers_and_Load_Balancers|load balancer]] such as Pound should be used.)

This method uses Apache2 virtual host configuration files on the primary server (to which the router sends port 80 traffic).

*On the primary server (which will act as the proxy), create a symbolic link to enable the proxy modules in Apache2, then restart Apache2:
sudo ln -s /etc/apache2/mods-available/proxy.load /etc/apache2/mods-enabled
sudo ln -s /etc/apache2/mods-available/proxy_http.load /etc/apache2/mods-enabled
sudo /etc/init.d/apache2 restart

*Edit a virtual host file for all secondary servers (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/apache2/sites-available/''proxiedhosts''

:and edit the file so that it resembles:

<VirtualHost *:80>
#
ServerName ''internalserver2.mydomain.org''
#
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://''192.168.1.192''/
ProxyPassReverse / http://''192.168.1.192''/
#
</VirtualHost>
#
#<VirtualHost *:80>
#
#ServerName ''internalserver3.mydomain.org''
#
# ProxyPreserveHost On
# ProxyRequests off
# ProxyPass / http://''192.168.1.193''/
# ProxyPassReverse / http://''192.168.1.193''/
#
#</VirtualHost>
#
#<VirtualHost *:80>
#
#ServerName ''internalserver4.mydomain.org''
#
# ProxyPreserveHost On
# ProxyRequests off
# ProxyPass / http://''192.168.1.194''/
# ProxyPassReverse / http://''192.168.1.194''/
#
#</VirtualHost>

:Make sure that each URL for each server has an entry (and obviously remove the hashmarks for each one that is active).

*Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:
sudo ln -s /etc/apache2/sites-available/''proxiedhosts'' /etc/apache2/sites-enabled
sudo /etc/init.d/apache2 restart

== Other resources ==
The information for this page was synthesized from these sources:
*[http://jeffbaier.com/articles/configuring-apache-virtual-hosts-for-nat/ Configuring Apache virtual hosts for NAT] -- blog tutorial for Apache ProxyPass
*[http://www.raskas.be/blog/2006/04/21/reverse-proxy-of-virtual-hosts-with-apache-2/ Reverse proxy of virtual hosts with apache 2] (no longer available)
*[http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass Apache2 mod_proxy instructions]

Template:Apache2 reverse proxies

Perspectoff — Fri, 17 May 2013 22:29:31 GMT

Perspectoff: /* Apache2 reverse proxies */

= Apache2 reverse proxies =
This solution solves the problem of having multiple servers on a LAN which has a single router connected to the Internet. The router forwards all port 80 traffic to a single primary server. That server will then be required to act as a proxy for the other servers on the LAN, redirecting incoming traffic addressed to the URLs of those other servers to their respective LAN IP addresses.

This increases the amount of traffic passing through the primary server, so is not a recommended solution for high volume situations unless the primary server is a dedicated gateway/proxy server. (For high volume situations, a [[Ubuntu:All#Reverse_proxy_Servers_and_Load_Balancers|load balancer]] such as Pound should be used.)

This method uses Apache2 virtual host configuration files on the primary server (to which the router sends port 80 traffic).

*On the primary server (which will act as the proxy), create a symbolic link to enable the proxy modules in Apache2, then restart Apache2:
sudo ln -s /etc/apache2/mods-available/proxy.load /etc/apache2/mods-enabled
sudo ln -s /etc/apache2/mods-available/proxy_http.load /etc/apache2/mods-enabled
sudo /etc/init.d/apache2 restart

*Edit a virtual host file for all secondary servers (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/apache2/sites-available/proxiedhosts

:and edit the file so that it resembles:

<VirtualHost *:80>
#
ServerName ''internalserver2.mydomain.org''
#
ProxyPreserveHost On
ProxyRequests off
ProxyPass / http://''192.168.1.192''/
ProxyPassReverse / http://''192.168.1.192''/
#
</VirtualHost>
#
#<VirtualHost *:80>
#
#ServerName ''internalserver3.mydomain.org''
#
# ProxyPreserveHost On
# ProxyRequests off
# ProxyPass / http://''192.168.1.193''/
# ProxyPassReverse / http://''192.168.1.193''/
#
#</VirtualHost>
#
#<VirtualHost *:80>
#
#ServerName ''internalserver4.mydomain.org''
#
# ProxyPreserveHost On
# ProxyRequests off
# ProxyPass / http://''192.168.1.194''/
# ProxyPassReverse / http://''192.168.1.194''/
#
#</VirtualHost>

:Make sure that each URL for each server has an entry (and obviously remove the hashmarks for each one that is active).

*Activate the virtual host file by making a symbolic link to the Apache2 sites-enabled folder then restarting Apache2:
sudo ln -s /etc/apache2/sites-available/proxiedhosts /etc/apache2/sites-enabled
sudo /etc/init.d/apache2 restart

== Other resources ==
The information for this page was synthesized from these sources:
*[http://jeffbaier.com/articles/configuring-apache-virtual-hosts-for-nat/ Configuring Apache virtual hosts for NAT] -- blog tutorial for Apache ProxyPass
*[http://www.raskas.be/blog/2006/04/21/reverse-proxy-of-virtual-hosts-with-apache-2/ Reverse proxy of virtual hosts with apache 2] (no longer available)
*[http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass Apache2 mod_proxy instructions]

Template:Public Service Announcement

Perspectoff — Sat, 04 May 2013 04:14:19 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] all year long and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
     ... and plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows [http://en.wikipedia.org/wiki/Big_Brother_%28Nineteen_Eighty-Four%29 Big Brother] monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live [http://www.guardian.co.uk/commentisfree/2013/apr/18/cispa-2013-house-vote-internet-privacy in Michigan] you may be out of luck).
<center>------------</center>

Template:Tor

Perspectoff — Mon, 29 Apr 2013 17:56:34 GMT

Perspectoff: /* Using Konversation with Tor */

= Tor =
[http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)

* Tor network speed improves when there are more [https://www.torproject.org/getinvolved/volunteer.html.en volunteers] to run [https://www.torproject.org/docs/tor-doc-relay.html.en relays] (and relays have better anonymity), bridges, and exit nodes. Please consider being a relay or bridge node if your ISP does not filter Tor and you have good bandwidth. Additonally please consider configuring your relay as an [https://www.torproject.org/docs/faq.html.en#ExitPolicies exit node] (if you are in a favorable network and don't mind a little bit of potential [https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment hassle] for being an exit node).

== Install Tor (Network privacy) ==
* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details. In general:
sudo apt-get install tor

* Tor can be run in its default configuration from the command-line (or from a menu item with the "Advanced -> Run in terminal" box ticked):
tor

:A separate menu item can be created to reliably shut down Tor:
sudo killall tor

* By default Tor listens for Socks5 traffic on port 9050. (Socks5 proxies are able to tunnel both UDP and HTTP traffic through them.) In general, applications (including other daisy-chained proxies) should be configured to use Tor as a Socks5 proxy on port 9050.

* I don't like Tor to automatically start at boot, so I edit the /etc/tor/torrc configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/tor/torrc

:and change the line so it looks like:
#RunAsDaemon 1
RunAsDaemon 0

:then restart Tor:
sudo /etc/init.d/tor restart

== Using Tor with Firefox ==
[[File:Prefapp1.png|18 px]] Tor acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. Recent versions of Firefox allow direction of all traffic, including DNS resolution, through a Socks5 proxy. To enable this behaviour (after starting and running a previously installed version of Tor):
:Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> Manual proxy configuration (''ticked'') -> SOCKS Host: ''127.0.0.1'' (or ''localhost'') -> Port: ''9050'' -> SOCKSv5 (''ticked'') -> No Proxy for: ''127.0.0.1'' (or ''localhost'')
* To return to using Firefox without a proxy (such as Tor), choose "No proxy" in the Firefox Network settings:
:Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> No proxy (''ticked'')

== Tor Browser Bundle ==
The [https://www.torproject.org/projects/torbrowser.html Tor Browser Bundle] (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) provides greater functionality and security than the stock Firefox version with the standalone Torbutton. Install from [https://www.torproject.org/projects/torbrowser.html here] the version for your language and unpack it. For example:
wget <nowiki>https://www.torproject.org/dist/torbrowser/linux/</nowiki>tor-browser-gnu-linux-x86_64-2.2.35-12-dev-en-US.tar.gz
tar -xvzf tor-browser-gnu-linux-x86_64-2.2.35-12-dev-en-US.tar.gz

Then change to the extracted directory and start the Tor Browser Bundle:
cd tor-browser_en-US
./start-tor-browser

A menu item can also be created with the command to start it.

=== Torbutton (Firefox plug-in) ===
Once the [[#Tor_Browser_Bundle|Tor Browser Bundle]] is installed and Tor is running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Updates to Torbutton can be installed using the .xpi extension found directly from the [https://www.torproject.org/torbutton/ website].

* As of 2012, Torbutton only works with modified versions of Firefox found in the Tor Project's [https://www.torproject.org/projects/torbrowser.html Tor Browser Bundle] (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) or with some older (non-updated) versions of Firefox.

* Newer versions of Firefox may refuse to start when Torbutton is installed. If this occurs, Firefox must be started in safe mode:
firefox -safe-mode

:Be sure to select "Start in Safe Mode" instead of "Reset Firefox" (unless you want to erase all your configuration settings and erase all your extensions/add-ons/plug-ins). Once in Safe Mode, the Torbutton extension can be disabled or removed (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Remove) and Firefox set to use "No proxy" in the Firefox Network settings:
::Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> No proxy (''ticked'')

* The standalone Torbutton add-on for Firefox disables many functions of Firefox (when used with older unmodified versions of Firefox), such as the Drag and Drop function. It must therefore be disabled (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Disable) while using many of these Firefox functions.

== Using Konversation with Tor ==
[[Kubuntu_Precise_Internet#Konversation_.28IRC_client.29|Konversation]] is an Internet Relay Chat client similar to [[MIRC|mIRC]]. Unfortunately, your IP address is easily determioned while using an IRC client. Konversation directly allows the use of a Socks proxy, however. If running Tor on port 9050, configure Konversation to use the Socks5 proxy on port 9050:
:Konversation -> Settings -> Configure Konversation... -> Behavior: Connection -> Proxy (''ticked'') -> Type: ''Socks v5'' -> Address: ''127.0.0.1'' (or ''localhost'') -> Port: ''9050''

== Using proxies with Tor ==
=== usewithtor ===
* If you installed a recent version of Tor from the repositories, you will have installed the "[http://code.google.com/p/torsocks/ usewithtor]" package. A number of applications can be automatically redirected to the Torsocks proxy ([http://code.google.com/p/torsocks/ torsocks]) with this utility:
usewithtor ''myapplication''

A menu item with such a command can then be created.

* By using torsocks, usewithtor will also block an application from sending UDP traffic (which is not anonymized by the Tor network).

* Applications that you wish to "usewithtor" (with torsocks) or "torify" (with tsocks) should use port 8118 for the http proxy port and port 9050 for the socks port.

=== torify ===
* Another method is to "[https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO torify]" an application with a different tor socks proxy ([http://tsocks.sourceforge.net/ tsocks]) if tsocks has been configured (edit /etc/tor/tor-tsocks.conf).
torify ''myapplication''

* tsocks does not explictly block UDP traffic, so if it is desirable to allow UDP traffic while anonymizing fttp traffic, use this method.

=== Privoxy ===
* I use the Privoxy proxy to tunnel http traffic through Tor. Install the Privoxy http proxy:
sudo apt-get install privoxy

* Applications can be set to send their http traffic to Privoxy over port 8118; Privoxy will then in turn forward the http traffic to Tor over port 9050. (Use an IP address other than ''127.0.0.1'' if Privoxy and/or Tor are not on the local machine. Use ''localhost'' instead of ''127.0.0.1'' if using IPv6 addressing on your systems).

Note: For some older versions of Privoxy, users have reported better success designating the address of the host computer as ''127.0.0.1'' instead of ''localhost'' in the configuration settings.

* Edit configuration files.
:* In the configuration file Privoxy is configured by default to listen on port ''127.0.0.1'':8118. See [[#Firewall_considerations|Firewall considerations]]. Edit the Privoxy configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/privoxy/config
::Add the lines
forward-socks5 / ''127.0.0.1'':9050 .
forward-socks4a / ''127.0.0.1'':9050 .

Note: socks5 allows more authentication choices, UDP for external DNS resolution, and accommodates IPv6. (By including both lines, socks4a is used as a fallback if a program does not support socks5.)

:*Restart Privoxy:
sudo /etc/init.d/privoxy restart

=== Other proxies ===
Other proxies such as [http://www.dest-unreach.org/socat/doc/socat.html socat], [http://www.pps.jussieu.fr/~jch/software/polipo/ Polipo] can also be used with Tor instead or Privoxy. [http://www.squid-cache.org/ Squid] can also be daisy-chained to one of the proxies.

=== Ensuring applications use the proxy ===
* See [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc#UnixandLinuxConfiguration this advice]. (Note: this is labeled as "old advice.") In (K)Ubuntu, the bash configuration files are at ~/.profile (i.e. /home/''user''/.profile) for the current user or at /etc/profile for system-wide usage. Using this advice, edit one of those two files and add the lines at the end of the file:
http_proxy=<nowiki>http://127.0.0.1:8118/</nowiki>
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

==== Using specific applications with Tor ====
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers Web Browsers]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail E-mail]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/TorifyHOWTO/FTP FTP]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc Misc]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging Instant Messaging]
:* Torchat can be used for IM through Tor. Install:
sudo apt-get install torchat

* Other applications may allow for the http proxy and the chainloaded socks services of Tor to be used independently (in parallel). Once Tor (and the relevant proxy or proxies) are running, the http proxy ''127.0.0.1'':8118 and the socks proxy ''127.0.0.1'':9050 can be specified in the configuration settings of an application that allows for this.

== Tor GUIs ==
* It is not necessary to use a GUI with Tor.

* If you will use Tor with a GUI interface (such as Vidalia or TorK), however, edit the Tor configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):

sudo kate /etc/tor/torrc

:* Add the line so that the GUI interface can control Tor over port 9051:
ControlPort 9051

:Note: There is some concern that allowing control of Tor over port 9051 is not secure. If you will not be using a GUI, this step is not advised.

=== Vidalia (Tor interface) ===
[https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories (as of Natty 11.04). However, if desired it can still be installed (along with the required older Qt3 libraries) by adding the [http://packages.ubuntu.com/maverick/amd64/tork/download Maverick repository] (directly or using a package manager):
deb <nowiki>http://ubuntu.mirror.cambrium.nl/ubuntu/</nowiki> maverick main universe

* Installing TorK also will install privoxy and unless you have also added the Tor repository directly, will also install an older version of Tor from the Ubuntu universe repositories. See [http://ubuntuforums.org/archive/index.php/t-800115.html these installation tips]. Install:
sudo apt-get install tork privoxy

* Run TorK (K menu -> Internet -> TorK Anonymity Manager) for the first time using the First Run Wizard (TorK -> Tools -> First Run Wizard).
::"No, tor is going to run on this PC" then "I have to start Tor manually" then "Run A Tor client with default settings" then "I want to use Privoxy..." then "Privoxy starts in the background when my computer boots up" then go through the remaining options.
::I then start ("Play") TorK as a Client. I happen to like Konqueror for Anonymous browsing, since it worked the first time for me without a problem. I keep Firefox for non-Tor browsing (so I don't have to change any of its settings) or install Torbutton (see below). You may have to fiddle with your Network proxy settings in Konqueror or Firefox (if things don't work the way you expect them to).
* Allow the [[Ubuntu:All#Firewall|Firewall]] (like Firestarter) to allow ports 8118, 9050, 9051, or just turn off the firewall completely, until everything is working. Then turn the firewall back on. (You should monitor your firewall carefully. TorK has settings to automatically turn it off, if you aren't careful.) No ports are required to be left open in the firewall for Tor to work, as all traffic will be directed through the socks port 9050 (which avoids the firewall).
* Applications that you wish to "torify" (with tsocks) or "usewithtor" (with torsocks) should use port 8118 (i.e. 127.0.0.1:8118) for the http proxy and port 9050 (127.0.0.1:9050) for the socks port.

* Once configured as a client successfully, if you have the bandwidth and a stable environment please enable the client/relay mode and/or server mode so that the Tor bandwidth is increased.

* Note: Tork constantly monitors the network (both Tor and non-Tor traffic). This can cause slowing of the Tor traffic from your computer and even cause intermittent interruptions. (Tor runs in the background and does not require Tork to be running as a control module.) If Tor is running in a stable mode, it will be faster (and less problematic) to stop Tork (sudo killall tork) and allow Tor to run in the background.

* Note: Traffic that is routed through Privoxy (and then presumably to Tor from Privoxy if configured correctly) will be logged as "non-Tor" traffic by Tork. As long as Privoxy is working correctly, however, this traffic is being forwarded through the Tor socket.

* Tork does not start Privoxy properly. Privoxy must be started (prior to starting Tork) as a startup program (e.g. using the Bootup-Manager) or manually with the command:
sudo /etc/init.d/privoxy start

==== Prevent autostart of proxies and Tor ====
* Whenever I stopped the TorK GUI and then later wanted to start it again, I had to manually kill the Privoxy and Tor processes first.
sudo killall privoxy
sudo killall tor

* Further, Tor, Privoxy, and Polipo install themselves as automatically started services at bootup. Preventing automatic startup (at boot) of Tor and Privoxy (and/or Polipo) can be accomplished by one of the methods in this [http://ubuntuforums.org/showthread.php?t=1277224 Ubuntu Forums thread]. Personally, I like using [[Ubuntu:All#Choose_Bootup.2FStartup_services|Bootup-Manager]]:
sudo apt-get install bum

:but another option is:
sudo update-rc.d tor disable
sudo update-rc.d privoxy disable
sudo update-rc.d polipo disable

which will also stop updates from re-installing the applications as startup services when updates are made.

* If Privoxy is stopped, it must be re-started with the [[Ubuntu:All#Choose_Bootup.2FStartup_services|Bootup-Manager]] or using the command:
sudo /etc/init.d/privoxy start

== Firewall considerations ==
=== Single computer ===
If you have the Tor client, the proxy client (Privoxy, Polipo, or socat), and the browser client (or other application) on the same computer, you do not need to have any open ports in order to use Tor. In such a circumstance it is safest to block all ports that connect to the Internet. The socks proxy bypasses the firewall entirely (so there is no need to leave any ports open in order for it to communicate).

By closing all ports (using a firewall), applications will be prevented from bypassing Tor (accidentally or unknowingly). Later, if you wish to have some of your traffic directed through Tor and some of your traffic traffic routed outside of Tor, you can open the ports for the traffic that will not go through Tor.

=== Proxy on LAN ===
If the proxy (Privoxy, Polipo, socat, etc.) on your LAN is on a computer different from the computer(s) that have the end-user client applications, it is best to open the port (e.g. 8118) for communication only between computers on the LAN (with the end-application clients on them) and the computer on the LAN with the proxy on it. Port 8118 should then not be open to the Internet but only to the computers on the LAN that will use the proxy.

If the Proxy and Tor client are on different computers as well, port 9050 should be open (on the LAN, not on the Internet) between the computer with the Proxy and the computer with the Tor client only, so that the Proxy can forward traffic to the Tor client (but not to the Internet). (Obviously, if the Proxy and the Tor client are on the same computer, there is no need to open the 9050 port at all.)

=== Blocking all non-Tor traffic using iptables ===
To ensure that no unprotected traffic "leaks" from applications without your knowledge, it is possible to configure your firewall iptables to prevent all traffic except that which is transmitted through Tor.
* See [https://trac.torproject.org/projects/tor/wiki/doc/BlockNonTorTrafficDebian this page].

=== Tor network initialization ===
It may be necessary to open port 443 (or less desirably port 80) to allow resolution of the nodes of the Tor network. Consider using [[Ubuntu:All#DNS_Servers_and_Search_engines|DNS privacy methods]].

== Troubleshooting ==
*Some routers (including a certain version of the Linksys WRT54G) slow down when the incoming/outgoing connection log (cache) becomes full (which can happen with many Tor or P2P connections). Disable the Log if this problem occurs.

* Although applicable to p2p traffic, [http://ktorrent.org/wiki/index.php/FAQ#Problem_solving this information] is generically applicable to Tor as well.

== Other resources ==
* [http://www.torproject.org/docs/documentation.html Tor documentation]
* [https://www.torproject.org/projects/obfsproxy.html.en Obfsproxy] is a proxy to transform data between a client and a Bridge node into innocent looking data, in order to circumvent Deep Packet Inspection (DPI) censorship.
* [[Anonymous_email|Anonymous email]] tips -- setting up web-based email anonymously through the Tor network

* [http://www.cypherpunk.at/onioncat/ OnionCat] transmits IP-based data transparently through the Tor network on a location hidden basis. (Also see [http://www.abenteuerland.at/onioncat/ this info]).

Similar networks:

* [http://www.i2p2.de I2P] is another anonymizing network similar to Tor. (See [http://www.i2p2.de/debian instructions] and [https://help.ubuntu.com/community/I2P Ubuntu community help].)
* [http://freenetproject.org/ Freenet] is another anonymizing network similar to Tor.
* [https://gnunet.org/ Gnunet] is another anonymizing network similar to Tor.
* [https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous_P2P#List_of_anonymous_P2P_networks_and_clients List of similar networks at Wikipedia]

Template:Tor

Perspectoff — Mon, 29 Apr 2013 17:54:11 GMT

Perspectoff: /* Using Konversation with Tor */

= Tor =
[http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)

* Tor network speed improves when there are more [https://www.torproject.org/getinvolved/volunteer.html.en volunteers] to run [https://www.torproject.org/docs/tor-doc-relay.html.en relays] (and relays have better anonymity), bridges, and exit nodes. Please consider being a relay or bridge node if your ISP does not filter Tor and you have good bandwidth. Additonally please consider configuring your relay as an [https://www.torproject.org/docs/faq.html.en#ExitPolicies exit node] (if you are in a favorable network and don't mind a little bit of potential [https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment hassle] for being an exit node).

== Install Tor (Network privacy) ==
* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details. In general:
sudo apt-get install tor

* Tor can be run in its default configuration from the command-line (or from a menu item with the "Advanced -> Run in terminal" box ticked):
tor

:A separate menu item can be created to reliably shut down Tor:
sudo killall tor

* By default Tor listens for Socks5 traffic on port 9050. (Socks5 proxies are able to tunnel both UDP and HTTP traffic through them.) In general, applications (including other daisy-chained proxies) should be configured to use Tor as a Socks5 proxy on port 9050.

* I don't like Tor to automatically start at boot, so I edit the /etc/tor/torrc configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/tor/torrc

:and change the line so it looks like:
#RunAsDaemon 1
RunAsDaemon 0

:then restart Tor:
sudo /etc/init.d/tor restart

== Using Tor with Firefox ==
[[File:Prefapp1.png|18 px]] Tor acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. Recent versions of Firefox allow direction of all traffic, including DNS resolution, through a Socks5 proxy. To enable this behaviour (after starting and running a previously installed version of Tor):
:Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> Manual proxy configuration (''ticked'') -> SOCKS Host: ''127.0.0.1'' (or ''localhost'') -> Port: ''9050'' -> SOCKSv5 (''ticked'') -> No Proxy for: ''127.0.0.1'' (or ''localhost'')
* To return to using Firefox without a proxy (such as Tor), choose "No proxy" in the Firefox Network settings:
:Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> No proxy (''ticked'')

== Tor Browser Bundle ==
The [https://www.torproject.org/projects/torbrowser.html Tor Browser Bundle] (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) provides greater functionality and security than the stock Firefox version with the standalone Torbutton. Install from [https://www.torproject.org/projects/torbrowser.html here] the version for your language and unpack it. For example:
wget <nowiki>https://www.torproject.org/dist/torbrowser/linux/</nowiki>tor-browser-gnu-linux-x86_64-2.2.35-12-dev-en-US.tar.gz
tar -xvzf tor-browser-gnu-linux-x86_64-2.2.35-12-dev-en-US.tar.gz

Then change to the extracted directory and start the Tor Browser Bundle:
cd tor-browser_en-US
./start-tor-browser

A menu item can also be created with the command to start it.

=== Torbutton (Firefox plug-in) ===
Once the [[#Tor_Browser_Bundle|Tor Browser Bundle]] is installed and Tor is running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Updates to Torbutton can be installed using the .xpi extension found directly from the [https://www.torproject.org/torbutton/ website].

* As of 2012, Torbutton only works with modified versions of Firefox found in the Tor Project's [https://www.torproject.org/projects/torbrowser.html Tor Browser Bundle] (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) or with some older (non-updated) versions of Firefox.

* Newer versions of Firefox may refuse to start when Torbutton is installed. If this occurs, Firefox must be started in safe mode:
firefox -safe-mode

:Be sure to select "Start in Safe Mode" instead of "Reset Firefox" (unless you want to erase all your configuration settings and erase all your extensions/add-ons/plug-ins). Once in Safe Mode, the Torbutton extension can be disabled or removed (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Remove) and Firefox set to use "No proxy" in the Firefox Network settings:
::Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> No proxy (''ticked'')

* The standalone Torbutton add-on for Firefox disables many functions of Firefox (when used with older unmodified versions of Firefox), such as the Drag and Drop function. It must therefore be disabled (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Disable) while using many of these Firefox functions.

== Using Konversation with Tor ==
[[Kubuntu_Precise_Internet#Konversation_.28IRC_client.29|Konversation]] is an Internet Relay Chat client similar to [http://en.wikipedia.org/wiki/MIRC mIRC]. Unfortunately, your IP address is easily determioned while using an IRC client. Konversation directly allows the use of a Socks proxy, however. If running Tor on port 9050, configure Konversation to use the Socks5 proxy on port 9050:
:Konversation -> Settings -> Configure Konversation... -> Behavior: Connection -> Proxy (''ticked'') -> Type: ''Socks v5'' -> Address: ''127.0.0.1'' (or ''localhost'') -> Port: ''9050''

== Using proxies with Tor ==
=== usewithtor ===
* If you installed a recent version of Tor from the repositories, you will have installed the "[http://code.google.com/p/torsocks/ usewithtor]" package. A number of applications can be automatically redirected to the Torsocks proxy ([http://code.google.com/p/torsocks/ torsocks]) with this utility:
usewithtor ''myapplication''

A menu item with such a command can then be created.

* By using torsocks, usewithtor will also block an application from sending UDP traffic (which is not anonymized by the Tor network).

* Applications that you wish to "usewithtor" (with torsocks) or "torify" (with tsocks) should use port 8118 for the http proxy port and port 9050 for the socks port.

=== torify ===
* Another method is to "[https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO torify]" an application with a different tor socks proxy ([http://tsocks.sourceforge.net/ tsocks]) if tsocks has been configured (edit /etc/tor/tor-tsocks.conf).
torify ''myapplication''

* tsocks does not explictly block UDP traffic, so if it is desirable to allow UDP traffic while anonymizing fttp traffic, use this method.

=== Privoxy ===
* I use the Privoxy proxy to tunnel http traffic through Tor. Install the Privoxy http proxy:
sudo apt-get install privoxy

* Applications can be set to send their http traffic to Privoxy over port 8118; Privoxy will then in turn forward the http traffic to Tor over port 9050. (Use an IP address other than ''127.0.0.1'' if Privoxy and/or Tor are not on the local machine. Use ''localhost'' instead of ''127.0.0.1'' if using IPv6 addressing on your systems).

Note: For some older versions of Privoxy, users have reported better success designating the address of the host computer as ''127.0.0.1'' instead of ''localhost'' in the configuration settings.

* Edit configuration files.
:* In the configuration file Privoxy is configured by default to listen on port ''127.0.0.1'':8118. See [[#Firewall_considerations|Firewall considerations]]. Edit the Privoxy configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/privoxy/config
::Add the lines
forward-socks5 / ''127.0.0.1'':9050 .
forward-socks4a / ''127.0.0.1'':9050 .

Note: socks5 allows more authentication choices, UDP for external DNS resolution, and accommodates IPv6. (By including both lines, socks4a is used as a fallback if a program does not support socks5.)

:*Restart Privoxy:
sudo /etc/init.d/privoxy restart

=== Other proxies ===
Other proxies such as [http://www.dest-unreach.org/socat/doc/socat.html socat], [http://www.pps.jussieu.fr/~jch/software/polipo/ Polipo] can also be used with Tor instead or Privoxy. [http://www.squid-cache.org/ Squid] can also be daisy-chained to one of the proxies.

=== Ensuring applications use the proxy ===
* See [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc#UnixandLinuxConfiguration this advice]. (Note: this is labeled as "old advice.") In (K)Ubuntu, the bash configuration files are at ~/.profile (i.e. /home/''user''/.profile) for the current user or at /etc/profile for system-wide usage. Using this advice, edit one of those two files and add the lines at the end of the file:
http_proxy=<nowiki>http://127.0.0.1:8118/</nowiki>
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

==== Using specific applications with Tor ====
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers Web Browsers]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail E-mail]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/TorifyHOWTO/FTP FTP]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc Misc]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging Instant Messaging]
:* Torchat can be used for IM through Tor. Install:
sudo apt-get install torchat

* Other applications may allow for the http proxy and the chainloaded socks services of Tor to be used independently (in parallel). Once Tor (and the relevant proxy or proxies) are running, the http proxy ''127.0.0.1'':8118 and the socks proxy ''127.0.0.1'':9050 can be specified in the configuration settings of an application that allows for this.

== Tor GUIs ==
* It is not necessary to use a GUI with Tor.

* If you will use Tor with a GUI interface (such as Vidalia or TorK), however, edit the Tor configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):

sudo kate /etc/tor/torrc

:* Add the line so that the GUI interface can control Tor over port 9051:
ControlPort 9051

:Note: There is some concern that allowing control of Tor over port 9051 is not secure. If you will not be using a GUI, this step is not advised.

=== Vidalia (Tor interface) ===
[https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories (as of Natty 11.04). However, if desired it can still be installed (along with the required older Qt3 libraries) by adding the [http://packages.ubuntu.com/maverick/amd64/tork/download Maverick repository] (directly or using a package manager):
deb <nowiki>http://ubuntu.mirror.cambrium.nl/ubuntu/</nowiki> maverick main universe

* Installing TorK also will install privoxy and unless you have also added the Tor repository directly, will also install an older version of Tor from the Ubuntu universe repositories. See [http://ubuntuforums.org/archive/index.php/t-800115.html these installation tips]. Install:
sudo apt-get install tork privoxy

* Run TorK (K menu -> Internet -> TorK Anonymity Manager) for the first time using the First Run Wizard (TorK -> Tools -> First Run Wizard).
::"No, tor is going to run on this PC" then "I have to start Tor manually" then "Run A Tor client with default settings" then "I want to use Privoxy..." then "Privoxy starts in the background when my computer boots up" then go through the remaining options.
::I then start ("Play") TorK as a Client. I happen to like Konqueror for Anonymous browsing, since it worked the first time for me without a problem. I keep Firefox for non-Tor browsing (so I don't have to change any of its settings) or install Torbutton (see below). You may have to fiddle with your Network proxy settings in Konqueror or Firefox (if things don't work the way you expect them to).
* Allow the [[Ubuntu:All#Firewall|Firewall]] (like Firestarter) to allow ports 8118, 9050, 9051, or just turn off the firewall completely, until everything is working. Then turn the firewall back on. (You should monitor your firewall carefully. TorK has settings to automatically turn it off, if you aren't careful.) No ports are required to be left open in the firewall for Tor to work, as all traffic will be directed through the socks port 9050 (which avoids the firewall).
* Applications that you wish to "torify" (with tsocks) or "usewithtor" (with torsocks) should use port 8118 (i.e. 127.0.0.1:8118) for the http proxy and port 9050 (127.0.0.1:9050) for the socks port.

* Once configured as a client successfully, if you have the bandwidth and a stable environment please enable the client/relay mode and/or server mode so that the Tor bandwidth is increased.

* Note: Tork constantly monitors the network (both Tor and non-Tor traffic). This can cause slowing of the Tor traffic from your computer and even cause intermittent interruptions. (Tor runs in the background and does not require Tork to be running as a control module.) If Tor is running in a stable mode, it will be faster (and less problematic) to stop Tork (sudo killall tork) and allow Tor to run in the background.

* Note: Traffic that is routed through Privoxy (and then presumably to Tor from Privoxy if configured correctly) will be logged as "non-Tor" traffic by Tork. As long as Privoxy is working correctly, however, this traffic is being forwarded through the Tor socket.

* Tork does not start Privoxy properly. Privoxy must be started (prior to starting Tork) as a startup program (e.g. using the Bootup-Manager) or manually with the command:
sudo /etc/init.d/privoxy start

==== Prevent autostart of proxies and Tor ====
* Whenever I stopped the TorK GUI and then later wanted to start it again, I had to manually kill the Privoxy and Tor processes first.
sudo killall privoxy
sudo killall tor

* Further, Tor, Privoxy, and Polipo install themselves as automatically started services at bootup. Preventing automatic startup (at boot) of Tor and Privoxy (and/or Polipo) can be accomplished by one of the methods in this [http://ubuntuforums.org/showthread.php?t=1277224 Ubuntu Forums thread]. Personally, I like using [[Ubuntu:All#Choose_Bootup.2FStartup_services|Bootup-Manager]]:
sudo apt-get install bum

:but another option is:
sudo update-rc.d tor disable
sudo update-rc.d privoxy disable
sudo update-rc.d polipo disable

which will also stop updates from re-installing the applications as startup services when updates are made.

* If Privoxy is stopped, it must be re-started with the [[Ubuntu:All#Choose_Bootup.2FStartup_services|Bootup-Manager]] or using the command:
sudo /etc/init.d/privoxy start

== Firewall considerations ==
=== Single computer ===
If you have the Tor client, the proxy client (Privoxy, Polipo, or socat), and the browser client (or other application) on the same computer, you do not need to have any open ports in order to use Tor. In such a circumstance it is safest to block all ports that connect to the Internet. The socks proxy bypasses the firewall entirely (so there is no need to leave any ports open in order for it to communicate).

By closing all ports (using a firewall), applications will be prevented from bypassing Tor (accidentally or unknowingly). Later, if you wish to have some of your traffic directed through Tor and some of your traffic traffic routed outside of Tor, you can open the ports for the traffic that will not go through Tor.

=== Proxy on LAN ===
If the proxy (Privoxy, Polipo, socat, etc.) on your LAN is on a computer different from the computer(s) that have the end-user client applications, it is best to open the port (e.g. 8118) for communication only between computers on the LAN (with the end-application clients on them) and the computer on the LAN with the proxy on it. Port 8118 should then not be open to the Internet but only to the computers on the LAN that will use the proxy.

If the Proxy and Tor client are on different computers as well, port 9050 should be open (on the LAN, not on the Internet) between the computer with the Proxy and the computer with the Tor client only, so that the Proxy can forward traffic to the Tor client (but not to the Internet). (Obviously, if the Proxy and the Tor client are on the same computer, there is no need to open the 9050 port at all.)

=== Blocking all non-Tor traffic using iptables ===
To ensure that no unprotected traffic "leaks" from applications without your knowledge, it is possible to configure your firewall iptables to prevent all traffic except that which is transmitted through Tor.
* See [https://trac.torproject.org/projects/tor/wiki/doc/BlockNonTorTrafficDebian this page].

=== Tor network initialization ===
It may be necessary to open port 443 (or less desirably port 80) to allow resolution of the nodes of the Tor network. Consider using [[Ubuntu:All#DNS_Servers_and_Search_engines|DNS privacy methods]].

== Troubleshooting ==
*Some routers (including a certain version of the Linksys WRT54G) slow down when the incoming/outgoing connection log (cache) becomes full (which can happen with many Tor or P2P connections). Disable the Log if this problem occurs.

* Although applicable to p2p traffic, [http://ktorrent.org/wiki/index.php/FAQ#Problem_solving this information] is generically applicable to Tor as well.

== Other resources ==
* [http://www.torproject.org/docs/documentation.html Tor documentation]
* [https://www.torproject.org/projects/obfsproxy.html.en Obfsproxy] is a proxy to transform data between a client and a Bridge node into innocent looking data, in order to circumvent Deep Packet Inspection (DPI) censorship.
* [[Anonymous_email|Anonymous email]] tips -- setting up web-based email anonymously through the Tor network

* [http://www.cypherpunk.at/onioncat/ OnionCat] transmits IP-based data transparently through the Tor network on a location hidden basis. (Also see [http://www.abenteuerland.at/onioncat/ this info]).

Similar networks:

* [http://www.i2p2.de I2P] is another anonymizing network similar to Tor. (See [http://www.i2p2.de/debian instructions] and [https://help.ubuntu.com/community/I2P Ubuntu community help].)
* [http://freenetproject.org/ Freenet] is another anonymizing network similar to Tor.
* [https://gnunet.org/ Gnunet] is another anonymizing network similar to Tor.
* [https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous_P2P#List_of_anonymous_P2P_networks_and_clients List of similar networks at Wikipedia]

Template:Tor

Perspectoff — Mon, 29 Apr 2013 17:52:36 GMT

Perspectoff: /* Using Konversation with Tor */

= Tor =
[http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)

* Tor network speed improves when there are more [https://www.torproject.org/getinvolved/volunteer.html.en volunteers] to run [https://www.torproject.org/docs/tor-doc-relay.html.en relays] (and relays have better anonymity), bridges, and exit nodes. Please consider being a relay or bridge node if your ISP does not filter Tor and you have good bandwidth. Additonally please consider configuring your relay as an [https://www.torproject.org/docs/faq.html.en#ExitPolicies exit node] (if you are in a favorable network and don't mind a little bit of potential [https://blog.torproject.org/blog/tips-running-exit-node-minimal-harassment hassle] for being an exit node).

== Install Tor (Network privacy) ==
* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details. In general:
sudo apt-get install tor

* Tor can be run in its default configuration from the command-line (or from a menu item with the "Advanced -> Run in terminal" box ticked):
tor

:A separate menu item can be created to reliably shut down Tor:
sudo killall tor

* By default Tor listens for Socks5 traffic on port 9050. (Socks5 proxies are able to tunnel both UDP and HTTP traffic through them.) In general, applications (including other daisy-chained proxies) should be configured to use Tor as a Socks5 proxy on port 9050.

* I don't like Tor to automatically start at boot, so I edit the /etc/tor/torrc configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/tor/torrc

:and change the line so it looks like:
#RunAsDaemon 1
RunAsDaemon 0

:then restart Tor:
sudo /etc/init.d/tor restart

== Using Tor with Firefox ==
[[File:Prefapp1.png|18 px]] Tor acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. Recent versions of Firefox allow direction of all traffic, including DNS resolution, through a Socks5 proxy. To enable this behaviour (after starting and running a previously installed version of Tor):
:Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> Manual proxy configuration (''ticked'') -> SOCKS Host: ''127.0.0.1'' (or ''localhost'') -> Port: ''9050'' -> SOCKSv5 (''ticked'') -> No Proxy for: ''127.0.0.1'' (or ''localhost'')
* To return to using Firefox without a proxy (such as Tor), choose "No proxy" in the Firefox Network settings:
:Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> No proxy (''ticked'')

== Tor Browser Bundle ==
The [https://www.torproject.org/projects/torbrowser.html Tor Browser Bundle] (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) provides greater functionality and security than the stock Firefox version with the standalone Torbutton. Install from [https://www.torproject.org/projects/torbrowser.html here] the version for your language and unpack it. For example:
wget <nowiki>https://www.torproject.org/dist/torbrowser/linux/</nowiki>tor-browser-gnu-linux-x86_64-2.2.35-12-dev-en-US.tar.gz
tar -xvzf tor-browser-gnu-linux-x86_64-2.2.35-12-dev-en-US.tar.gz

Then change to the extracted directory and start the Tor Browser Bundle:
cd tor-browser_en-US
./start-tor-browser

A menu item can also be created with the command to start it.

=== Torbutton (Firefox plug-in) ===
Once the [[#Tor_Browser_Bundle|Tor Browser Bundle]] is installed and Tor is running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Updates to Torbutton can be installed using the .xpi extension found directly from the [https://www.torproject.org/torbutton/ website].

* As of 2012, Torbutton only works with modified versions of Firefox found in the Tor Project's [https://www.torproject.org/projects/torbrowser.html Tor Browser Bundle] (Tor, Vidalia GUI, a modified version of Firefox, and Torbutton) or with some older (non-updated) versions of Firefox.

* Newer versions of Firefox may refuse to start when Torbutton is installed. If this occurs, Firefox must be started in safe mode:
firefox -safe-mode

:Be sure to select "Start in Safe Mode" instead of "Reset Firefox" (unless you want to erase all your configuration settings and erase all your extensions/add-ons/plug-ins). Once in Safe Mode, the Torbutton extension can be disabled or removed (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Remove) and Firefox set to use "No proxy" in the Firefox Network settings:
::Firefox -> Edit -> Preferences -> Advanced -> Network -> Connection:Settings -> No proxy (''ticked'')

* The standalone Torbutton add-on for Firefox disables many functions of Firefox (when used with older unmodified versions of Firefox), such as the Drag and Drop function. It must therefore be disabled (Firefox -> Tools -> Add-ons -> Extensions -> Torbutton -> Disable) while using many of these Firefox functions.

== Using Konversation with Tor ==
[[Kubuntu_Precise_Internet#Konversation_.28IRC_client.29|Konversation]] is an Internet Relay Chat client similar to mIRC. Unfortunately, your IP address is easily determioned while using an IRC client. Konversation directly allows the use of a Socks proxy, however. If running Tor on port 9050, configure Konversation to use the Socks5 proxy on port 9050:
:Konversation -> Settings -> Configure Konversation... -> Behavior: Connection -> Proxy (''ticked'') -> Type: ''Socks v5'' -> Address: ''127.0.0.1'' (or ''localhost'') -> Port: ''9050''

== Using proxies with Tor ==
=== usewithtor ===
* If you installed a recent version of Tor from the repositories, you will have installed the "[http://code.google.com/p/torsocks/ usewithtor]" package. A number of applications can be automatically redirected to the Torsocks proxy ([http://code.google.com/p/torsocks/ torsocks]) with this utility:
usewithtor ''myapplication''

A menu item with such a command can then be created.

* By using torsocks, usewithtor will also block an application from sending UDP traffic (which is not anonymized by the Tor network).

* Applications that you wish to "usewithtor" (with torsocks) or "torify" (with tsocks) should use port 8118 for the http proxy port and port 9050 for the socks port.

=== torify ===
* Another method is to "[https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO torify]" an application with a different tor socks proxy ([http://tsocks.sourceforge.net/ tsocks]) if tsocks has been configured (edit /etc/tor/tor-tsocks.conf).
torify ''myapplication''

* tsocks does not explictly block UDP traffic, so if it is desirable to allow UDP traffic while anonymizing fttp traffic, use this method.

=== Privoxy ===
* I use the Privoxy proxy to tunnel http traffic through Tor. Install the Privoxy http proxy:
sudo apt-get install privoxy

* Applications can be set to send their http traffic to Privoxy over port 8118; Privoxy will then in turn forward the http traffic to Tor over port 9050. (Use an IP address other than ''127.0.0.1'' if Privoxy and/or Tor are not on the local machine. Use ''localhost'' instead of ''127.0.0.1'' if using IPv6 addressing on your systems).

Note: For some older versions of Privoxy, users have reported better success designating the address of the host computer as ''127.0.0.1'' instead of ''localhost'' in the configuration settings.

* Edit configuration files.
:* In the configuration file Privoxy is configured by default to listen on port ''127.0.0.1'':8118. See [[#Firewall_considerations|Firewall considerations]]. Edit the Privoxy configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
sudo kate /etc/privoxy/config
::Add the lines
forward-socks5 / ''127.0.0.1'':9050 .
forward-socks4a / ''127.0.0.1'':9050 .

Note: socks5 allows more authentication choices, UDP for external DNS resolution, and accommodates IPv6. (By including both lines, socks4a is used as a fallback if a program does not support socks5.)

:*Restart Privoxy:
sudo /etc/init.d/privoxy restart

=== Other proxies ===
Other proxies such as [http://www.dest-unreach.org/socat/doc/socat.html socat], [http://www.pps.jussieu.fr/~jch/software/polipo/ Polipo] can also be used with Tor instead or Privoxy. [http://www.squid-cache.org/ Squid] can also be daisy-chained to one of the proxies.

=== Ensuring applications use the proxy ===
* See [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc#UnixandLinuxConfiguration this advice]. (Note: this is labeled as "old advice.") In (K)Ubuntu, the bash configuration files are at ~/.profile (i.e. /home/''user''/.profile) for the current user or at /etc/profile for system-wide usage. Using this advice, edit one of those two files and add the lines at the end of the file:
http_proxy=<nowiki>http://127.0.0.1:8118/</nowiki>
HTTP_PROXY=$http_proxy
export http_proxy HTTP_PROXY

==== Using specific applications with Tor ====
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers Web Browsers]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/EMail E-mail]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IrcSilc IRC/SILC]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/TorifyHOWTO/FTP FTP]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/Misc Misc]
* [https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/InstantMessaging Instant Messaging]
:* Torchat can be used for IM through Tor. Install:
sudo apt-get install torchat

* Other applications may allow for the http proxy and the chainloaded socks services of Tor to be used independently (in parallel). Once Tor (and the relevant proxy or proxies) are running, the http proxy ''127.0.0.1'':8118 and the socks proxy ''127.0.0.1'':9050 can be specified in the configuration settings of an application that allows for this.

== Tor GUIs ==
* It is not necessary to use a GUI with Tor.

* If you will use Tor with a GUI interface (such as Vidalia or TorK), however, edit the Tor configuration file (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):

sudo kate /etc/tor/torrc

:* Add the line so that the GUI interface can control Tor over port 9051:
ControlPort 9051

:Note: There is some concern that allowing control of Tor over port 9051 is not secure. If you will not be using a GUI, this step is not advised.

=== Vidalia (Tor interface) ===
[https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories (as of Natty 11.04). However, if desired it can still be installed (along with the required older Qt3 libraries) by adding the [http://packages.ubuntu.com/maverick/amd64/tork/download Maverick repository] (directly or using a package manager):
deb <nowiki>http://ubuntu.mirror.cambrium.nl/ubuntu/</nowiki> maverick main universe

* Installing TorK also will install privoxy and unless you have also added the Tor repository directly, will also install an older version of Tor from the Ubuntu universe repositories. See [http://ubuntuforums.org/archive/index.php/t-800115.html these installation tips]. Install:
sudo apt-get install tork privoxy

* Run TorK (K menu -> Internet -> TorK Anonymity Manager) for the first time using the First Run Wizard (TorK -> Tools -> First Run Wizard).
::"No, tor is going to run on this PC" then "I have to start Tor manually" then "Run A Tor client with default settings" then "I want to use Privoxy..." then "Privoxy starts in the background when my computer boots up" then go through the remaining options.
::I then start ("Play") TorK as a Client. I happen to like Konqueror for Anonymous browsing, since it worked the first time for me without a problem. I keep Firefox for non-Tor browsing (so I don't have to change any of its settings) or install Torbutton (see below). You may have to fiddle with your Network proxy settings in Konqueror or Firefox (if things don't work the way you expect them to).
* Allow the [[Ubuntu:All#Firewall|Firewall]] (like Firestarter) to allow ports 8118, 9050, 9051, or just turn off the firewall completely, until everything is working. Then turn the firewall back on. (You should monitor your firewall carefully. TorK has settings to automatically turn it off, if you aren't careful.) No ports are required to be left open in the firewall for Tor to work, as all traffic will be directed through the socks port 9050 (which avoids the firewall).
* Applications that you wish to "torify" (with tsocks) or "usewithtor" (with torsocks) should use port 8118 (i.e. 127.0.0.1:8118) for the http proxy and port 9050 (127.0.0.1:9050) for the socks port.

* Once configured as a client successfully, if you have the bandwidth and a stable environment please enable the client/relay mode and/or server mode so that the Tor bandwidth is increased.

* Note: Tork constantly monitors the network (both Tor and non-Tor traffic). This can cause slowing of the Tor traffic from your computer and even cause intermittent interruptions. (Tor runs in the background and does not require Tork to be running as a control module.) If Tor is running in a stable mode, it will be faster (and less problematic) to stop Tork (sudo killall tork) and allow Tor to run in the background.

* Note: Traffic that is routed through Privoxy (and then presumably to Tor from Privoxy if configured correctly) will be logged as "non-Tor" traffic by Tork. As long as Privoxy is working correctly, however, this traffic is being forwarded through the Tor socket.

* Tork does not start Privoxy properly. Privoxy must be started (prior to starting Tork) as a startup program (e.g. using the Bootup-Manager) or manually with the command:
sudo /etc/init.d/privoxy start

==== Prevent autostart of proxies and Tor ====
* Whenever I stopped the TorK GUI and then later wanted to start it again, I had to manually kill the Privoxy and Tor processes first.
sudo killall privoxy
sudo killall tor

* Further, Tor, Privoxy, and Polipo install themselves as automatically started services at bootup. Preventing automatic startup (at boot) of Tor and Privoxy (and/or Polipo) can be accomplished by one of the methods in this [http://ubuntuforums.org/showthread.php?t=1277224 Ubuntu Forums thread]. Personally, I like using [[Ubuntu:All#Choose_Bootup.2FStartup_services|Bootup-Manager]]:
sudo apt-get install bum

:but another option is:
sudo update-rc.d tor disable
sudo update-rc.d privoxy disable
sudo update-rc.d polipo disable

which will also stop updates from re-installing the applications as startup services when updates are made.

* If Privoxy is stopped, it must be re-started with the [[Ubuntu:All#Choose_Bootup.2FStartup_services|Bootup-Manager]] or using the command:
sudo /etc/init.d/privoxy start

== Firewall considerations ==
=== Single computer ===
If you have the Tor client, the proxy client (Privoxy, Polipo, or socat), and the browser client (or other application) on the same computer, you do not need to have any open ports in order to use Tor. In such a circumstance it is safest to block all ports that connect to the Internet. The socks proxy bypasses the firewall entirely (so there is no need to leave any ports open in order for it to communicate).

By closing all ports (using a firewall), applications will be prevented from bypassing Tor (accidentally or unknowingly). Later, if you wish to have some of your traffic directed through Tor and some of your traffic traffic routed outside of Tor, you can open the ports for the traffic that will not go through Tor.

=== Proxy on LAN ===
If the proxy (Privoxy, Polipo, socat, etc.) on your LAN is on a computer different from the computer(s) that have the end-user client applications, it is best to open the port (e.g. 8118) for communication only between computers on the LAN (with the end-application clients on them) and the computer on the LAN with the proxy on it. Port 8118 should then not be open to the Internet but only to the computers on the LAN that will use the proxy.

If the Proxy and Tor client are on different computers as well, port 9050 should be open (on the LAN, not on the Internet) between the computer with the Proxy and the computer with the Tor client only, so that the Proxy can forward traffic to the Tor client (but not to the Internet). (Obviously, if the Proxy and the Tor client are on the same computer, there is no need to open the 9050 port at all.)

=== Blocking all non-Tor traffic using iptables ===
To ensure that no unprotected traffic "leaks" from applications without your knowledge, it is possible to configure your firewall iptables to prevent all traffic except that which is transmitted through Tor.
* See [https://trac.torproject.org/projects/tor/wiki/doc/BlockNonTorTrafficDebian this page].

=== Tor network initialization ===
It may be necessary to open port 443 (or less desirably port 80) to allow resolution of the nodes of the Tor network. Consider using [[Ubuntu:All#DNS_Servers_and_Search_engines|DNS privacy methods]].

== Troubleshooting ==
*Some routers (including a certain version of the Linksys WRT54G) slow down when the incoming/outgoing connection log (cache) becomes full (which can happen with many Tor or P2P connections). Disable the Log if this problem occurs.

* Although applicable to p2p traffic, [http://ktorrent.org/wiki/index.php/FAQ#Problem_solving this information] is generically applicable to Tor as well.

== Other resources ==
* [http://www.torproject.org/docs/documentation.html Tor documentation]
* [https://www.torproject.org/projects/obfsproxy.html.en Obfsproxy] is a proxy to transform data between a client and a Bridge node into innocent looking data, in order to circumvent Deep Packet Inspection (DPI) censorship.
* [[Anonymous_email|Anonymous email]] tips -- setting up web-based email anonymously through the Tor network

* [http://www.cypherpunk.at/onioncat/ OnionCat] transmits IP-based data transparently through the Tor network on a location hidden basis. (Also see [http://www.abenteuerland.at/onioncat/ this info]).

Similar networks:

* [http://www.i2p2.de I2P] is another anonymizing network similar to Tor. (See [http://www.i2p2.de/debian instructions] and [https://help.ubuntu.com/community/I2P Ubuntu community help].)
* [http://freenetproject.org/ Freenet] is another anonymizing network similar to Tor.
* [https://gnunet.org/ Gnunet] is another anonymizing network similar to Tor.
* [https://secure.wikimedia.org/wikipedia/en/wiki/Anonymous_P2P#List_of_anonymous_P2P_networks_and_clients List of similar networks at Wikipedia]

Anonymous email

Perspectoff — Mon, 29 Apr 2013 17:48:30 GMT

Perspectoff: /* Anonymous blogging */

__TOC__

== Long-term anonymous email accounts ==
Sometimes you just want a truly anonymous email account. Spammers already know how to do this -- why shouldn't you? The information below is largely from this [http://advocacy.globalvoicesonline.org/projects/guide/#email Global Voices Online article].

* Set up Tor and run it. For truly anonymous access, run as a Tor relay.

* With Tor running and your Torbutton on (I assume you're running Firefox with Noscript for blocking scripts), access the TorMail hidden service at http://jhiwjjlqpyawmpjx.onion/ . Create a free email account there. This account will be used only as your "verification email" account. 
:* [https://lavabit.com Lavabit.com] has a very good free email service that is similar and also works with Tor.

* With Tor running and your Torbutton on (I assume you're running Firefox and [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|Noscript]] is blocking scripts), access the Fastmail web-based email service at https://www.fastmail.fm/. Sign up for a free email account there, using the previously established TorMail account as your verification email address.

* Voila! Now you have created an anonymous email account that is linked to another anonymous email account, all accomplished through the Tor network. That's pretty difficult to track, assuming you have the usual tracking mechanisms turned off (i.e. [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|no scripts]], routine [[Ubuntu_Precise_Privacy#Changing_a_MAC_address|MAC address changes]], using a [[Ubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|DNS server other than your own ISP's]], [[Ubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|encrypted connections (https)]], and other routine security measures).

:* Current password crackers (such as [[Ubuntu_Precise_Privacy#Password_checker_and_enforcement|John the Ripper]]) can run through millions of passwords in a few hours (see [http://www.h-online.com/open/news/item/John-the-Ripper-now-able-to-crack-office-files-and-use-GPUs-1631901.html this H-open article]). A random password can be generated using a [[Ubuntu_Precise_Privacy#Passwords_and_file_authentication|random password generator]] and used for your email password. Such passwords can be used for "secret questions" if those are required by the email service, as well. (An anonymous user suggests that even the usernames for the "verification" email accounts can consist of a randomly generated set of characters -- good idea!)

:* It is relatively insecure to allow one email account to send passwords or password-reset links to a "verification" email account (such as the one set up at TorMail). If the "verification" email account were to become compromised, it would be trivial for the hacker to reset the password at the (main) Fastmail email account. Furthermore, it is difficult to know who is running an email server in the first place, and it is wise to assume that the email on an email server (such as TorMail) can be examined by the owners of the email server. Of course, that's why you're using email through Tor in the first place -- for deniability in case the email server is compromised (and your email is intercepted).
::* A solution is to daisy-chain the verification email accounts. In such a scenario, the TorMail account is set up first. Then (for example) a [https://accounts.zoho.com/register?serviceurl=https://www.zoho.com/signup-redirect.html Zoho account] is set up using the TorMail account for verification. The nice thing about a Zoho account is that the user ID/password for the Zoho account (which is a SSO account for all the Zoho services) is different from the Zoho email username/ID. This adds a level of security. Zoho is Tor-permissive. Once a Zoho account and Zoho email account is set up, the Zoho email account is then used as the verification email for the Fastmail account.
::* Any or all of the "verification" email accounts (such as the original TorMail account) can then be deleted, leaving only the Fastmail account (and optionally the Zoho account) remaining. It should be noted that TorMail, Zoho, and Fastmail are all in different countries, which lends an added level of security.

Always use email through the Tor network or risk exposing your IP address(es). Always use an encrypted (https) connection as well, or risk exposing your data to a rogue Tor node. (All sensitive email should be encrypted using [[Ubuntu_Precise_Privacy#PGP_.28Message_Encryption.29|PGP]], of course, and never sent in cleartext.)

* Fastmail is a robust, high-bandwidth mail server (unlike TorMail) and is Tor-transparent (unlike Yahoo Mail and other free email services), nor does it have the high level of tracking mechanisms that GMail has. It also allows IMAP and SMTP through Tor (in case you desire to use it in that way).

* There are other Tor-permissive email services, however (including RiseUp.net). Want a review of the compatibility of other (free) email services with Tor? Then see this hidden service wiki (with Tor running and your Torbutton turned on): http://kpvz7ki2v5agwt35.onion/wiki/index.php/Email

* You could use the TorMail (and/or Zoho) account as your verification email account for a variety of services and if those services were available through Tor as well, you could be anonymous with them, too! However, once you use the TorMail (and/or Zoho) account for anything other than a verification email account, the chances of cross-correlation go up. I therefore recommend reserving a single TorMail (and/or Zoho) account for that purpose (i.e. as a verification account) only.

* Here's a moderated list of other Tor hidden services: http://nobody.zerodays.org/hidden-directory/

== Temporary non-anonymous email accounts ==
* Sometimes you just need a temporary email account just to sign up for some commenting system or something. Perhaps they send a "click this link to verify account" email, which is all you really need. Such emails need not be secure or private, since passwords and other identifying information is usually not sent in such messages.

:*[http://www.mailinator.com/ Mailinator] is the ideal solution for this type of temporary email account. It does not allow sending emails (and therefore is not apporpriate if you are trying to be a spammer), but it does allow you to receive one-time emails. You could use such an email account to receive a one-time message from some website (a coupon or something like that) which you know will generate endless spam in the future. With the temporary email account, you can "Let them eat spam!"

::*A random string of characters can be generated using a [[Ubuntu_Precise_Privacy#Passwords_and_file_authentication|random password generator]] and used as your email username. Mailinator allows a user ID up to 25 characters. (Mailinator can provide a random userID, as well.)

::*This is a great service, and the guy who runs it is very well-educated and amusing. Note that there is no privacy whatsoever with this service, except in the obscurity of your chosen email name. All messages to the temporary email box are deleted within a day.

::* Uh, yeah, of course you should access Mailinator through Tor, unless you particularly want your IP address to be identified with the temporary email account. The guy from Mailinator says he gets subpoena requests all the time. Stay protected. Use Tor when accessing Mailinator.

:* [http://www.spamgourmet.com/ Spamgourmet] is another service that allows temporary, discardable email addresses. It allows forwarding of up to three messages to another email account (perhaps your longterm anonymous email account?) so that you can give a Spamgourmet email address to some website, have their reply forwarded to your regular email account, and then not worry about the subsequent spam (after the first 3 messages) that inevitably follows. Spamgourmet discards anything after the first 3 messages.

== Anonymous blogging ==

* Now that you have an anonymous email account, why not set up an [https://en.wikipedia.org/wiki/Anonymous_blog anonymous blog]? I mean, are you any less reliable than a paid "journalist" that posts their poorly written nonsense on online newspapers? Here are some sites that allow anonymous blogs:

:* [http://www.blog.com/ Blog.com] allows free blogs.
:* [http://wordpress.com/ Wordpress] allows free blogs, but has a number of censorship rules and tends to remove sites quite quickly based on any complaint whatsoever. [http://www.dmoz.org/Computers/Internet/On_the_Web/Weblogs/Hosts/WordPress/Free/ Here] is a list of other hosts that allow free blogs using the Wordpress blogging software.
:* [http://www.blogger.com Blogger.com] was bought by Google and is available with a Google account. Anything hosted by Google must be assumed to be insecure, but for limited uses it may fit your needs.
:* [http://mashable.com/2007/08/06/free-blog-hosts/ Here] is a 2007 list of other free blog sites. I'm not sure how many are still functional.

* There have been several high-profile lawsuits of anonymous bloggers being sued after being tracked through their IP address using Java-based scripts or by Google Analytics. You are using [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] to block Google Analytics and Java scripts, aren't you? Of course, I KNOW you are accessing your blog only through Tor... right? See the [http://advocacy.globalvoicesonline.org/projects/guide/ Global Voices Online] article regarding anonymous blogging (with Tor).

== Other considerations ==

* Traditonal forensics have always used the evaluation of writing styles to identify authors. See [http://www.sciencedaily.com/releases/2011/03/110308124758.htm this article]. Frequent posts from the same author allow evaluation of writing patterns. One way to get around this is to use a translation service. Translate a message into another language, then translate the result back into the original language. This introduces random errors, making the writing style less consistently recognisable. (Be careful to use Tor when using [http://translate.google.com Google Tranlate] or other online services, of course, since Google and others use extensive tracking mechanisms.)


== Using an SMTP server ==
* You can easily send anonymous emails with your own SMTP server. This is how spammers and other malevolent Internet users accomplish it. See [http://tipsfromgeek.com/2008/03/send-anonymous-emails.html this article] for an example. Spammers suck, though. Heck, beating spam is the purpose of much of this page, isn't it? Why contribute to it?

Anonymous email

Perspectoff — Mon, 29 Apr 2013 17:46:31 GMT

Perspectoff: /* Temporary non-anonymous email accounts */

__TOC__

== Long-term anonymous email accounts ==
Sometimes you just want a truly anonymous email account. Spammers already know how to do this -- why shouldn't you? The information below is largely from this [http://advocacy.globalvoicesonline.org/projects/guide/#email Global Voices Online article].

* Set up Tor and run it. For truly anonymous access, run as a Tor relay.

* With Tor running and your Torbutton on (I assume you're running Firefox with Noscript for blocking scripts), access the TorMail hidden service at http://jhiwjjlqpyawmpjx.onion/ . Create a free email account there. This account will be used only as your "verification email" account. 
:* [https://lavabit.com Lavabit.com] has a very good free email service that is similar and also works with Tor.

* With Tor running and your Torbutton on (I assume you're running Firefox and [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|Noscript]] is blocking scripts), access the Fastmail web-based email service at https://www.fastmail.fm/. Sign up for a free email account there, using the previously established TorMail account as your verification email address.

* Voila! Now you have created an anonymous email account that is linked to another anonymous email account, all accomplished through the Tor network. That's pretty difficult to track, assuming you have the usual tracking mechanisms turned off (i.e. [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|no scripts]], routine [[Ubuntu_Precise_Privacy#Changing_a_MAC_address|MAC address changes]], using a [[Ubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|DNS server other than your own ISP's]], [[Ubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|encrypted connections (https)]], and other routine security measures).

:* Current password crackers (such as [[Ubuntu_Precise_Privacy#Password_checker_and_enforcement|John the Ripper]]) can run through millions of passwords in a few hours (see [http://www.h-online.com/open/news/item/John-the-Ripper-now-able-to-crack-office-files-and-use-GPUs-1631901.html this H-open article]). A random password can be generated using a [[Ubuntu_Precise_Privacy#Passwords_and_file_authentication|random password generator]] and used for your email password. Such passwords can be used for "secret questions" if those are required by the email service, as well. (An anonymous user suggests that even the usernames for the "verification" email accounts can consist of a randomly generated set of characters -- good idea!)

:* It is relatively insecure to allow one email account to send passwords or password-reset links to a "verification" email account (such as the one set up at TorMail). If the "verification" email account were to become compromised, it would be trivial for the hacker to reset the password at the (main) Fastmail email account. Furthermore, it is difficult to know who is running an email server in the first place, and it is wise to assume that the email on an email server (such as TorMail) can be examined by the owners of the email server. Of course, that's why you're using email through Tor in the first place -- for deniability in case the email server is compromised (and your email is intercepted).
::* A solution is to daisy-chain the verification email accounts. In such a scenario, the TorMail account is set up first. Then (for example) a [https://accounts.zoho.com/register?serviceurl=https://www.zoho.com/signup-redirect.html Zoho account] is set up using the TorMail account for verification. The nice thing about a Zoho account is that the user ID/password for the Zoho account (which is a SSO account for all the Zoho services) is different from the Zoho email username/ID. This adds a level of security. Zoho is Tor-permissive. Once a Zoho account and Zoho email account is set up, the Zoho email account is then used as the verification email for the Fastmail account.
::* Any or all of the "verification" email accounts (such as the original TorMail account) can then be deleted, leaving only the Fastmail account (and optionally the Zoho account) remaining. It should be noted that TorMail, Zoho, and Fastmail are all in different countries, which lends an added level of security.

Always use email through the Tor network or risk exposing your IP address(es). Always use an encrypted (https) connection as well, or risk exposing your data to a rogue Tor node. (All sensitive email should be encrypted using [[Ubuntu_Precise_Privacy#PGP_.28Message_Encryption.29|PGP]], of course, and never sent in cleartext.)

* Fastmail is a robust, high-bandwidth mail server (unlike TorMail) and is Tor-transparent (unlike Yahoo Mail and other free email services), nor does it have the high level of tracking mechanisms that GMail has. It also allows IMAP and SMTP through Tor (in case you desire to use it in that way).

* There are other Tor-permissive email services, however (including RiseUp.net). Want a review of the compatibility of other (free) email services with Tor? Then see this hidden service wiki (with Tor running and your Torbutton turned on): http://kpvz7ki2v5agwt35.onion/wiki/index.php/Email

* You could use the TorMail (and/or Zoho) account as your verification email account for a variety of services and if those services were available through Tor as well, you could be anonymous with them, too! However, once you use the TorMail (and/or Zoho) account for anything other than a verification email account, the chances of cross-correlation go up. I therefore recommend reserving a single TorMail (and/or Zoho) account for that purpose (i.e. as a verification account) only.

* Here's a moderated list of other Tor hidden services: http://nobody.zerodays.org/hidden-directory/

== Temporary non-anonymous email accounts ==
* Sometimes you just need a temporary email account just to sign up for some commenting system or something. Perhaps they send a "click this link to verify account" email, which is all you really need. Such emails need not be secure or private, since passwords and other identifying information is usually not sent in such messages.

:*[http://www.mailinator.com/ Mailinator] is the ideal solution for this type of temporary email account. It does not allow sending emails (and therefore is not apporpriate if you are trying to be a spammer), but it does allow you to receive one-time emails. You could use such an email account to receive a one-time message from some website (a coupon or something like that) which you know will generate endless spam in the future. With the temporary email account, you can "Let them eat spam!"

::*A random string of characters can be generated using a [[Ubuntu_Precise_Privacy#Passwords_and_file_authentication|random password generator]] and used as your email username. Mailinator allows a user ID up to 25 characters. (Mailinator can provide a random userID, as well.)

::*This is a great service, and the guy who runs it is very well-educated and amusing. Note that there is no privacy whatsoever with this service, except in the obscurity of your chosen email name. All messages to the temporary email box are deleted within a day.

::* Uh, yeah, of course you should access Mailinator through Tor, unless you particularly want your IP address to be identified with the temporary email account. The guy from Mailinator says he gets subpoena requests all the time. Stay protected. Use Tor when accessing Mailinator.

:* [http://www.spamgourmet.com/ Spamgourmet] is another service that allows temporary, discardable email addresses. It allows forwarding of up to three messages to another email account (perhaps your longterm anonymous email account?) so that you can give a Spamgourmet email address to some website, have their reply forwarded to your regular email account, and then not worry about the subsequent spam (after the first 3 messages) that inevitably follows. Spamgourmet discards anything after the first 3 messages.

== Anonymous blogging ==

* Now that you have an anonymous email account, why not set up an [https://en.wikipedia.org/wiki/Anonymous_blog anonymous blog]? I mean, are you any less reliable than a paid "journalist" that posts their poorly written nonsense on online newspapers? Here are some sites that allow anonymous blogs:

:* [http://www.blog.com/ Blog.com] allows free blogs.
:* [http://wordpress.com/ Wordpress] allows free blogs, but has a number of censorship rules and tends to remove sites quite quickly based on any complaint whatsoever. [http://www.dmoz.org/Computers/Internet/On_the_Web/Weblogs/Hosts/WordPress/Free/ Here] is a list of other hosts that allow free blogs using the Wordpress blogging software.
:* [http://www.blogger.com Blogger.com] was bought by Google and is available with a Google account. Anything hosted by Google must be assumed to be insecure, but for limited uses it may fit your needs.
:* [http://mashable.com/2007/08/06/free-blog-hosts/ Here] is a 2007 list of other free blog sites. I'm not sure how many are still functional.

* There have been several high-profile lawsuits of anonymous bloggers being sued after being tracked through their IP address using Java-based scripts or by Google Analytics. You are using [[Kubuntu:All#NoScript_plug-in_.28controls_scripts.29|NoScript]] to block Google Analytics and Java scripts, aren't you? Of course, I KNOW you are accessing your blog only through Tor... right? See the [http://advocacy.globalvoicesonline.org/projects/guide/ Global Voices Online] article regarding anonymous blogging (with Tor).

== Other considerations ==

* Traditonal forensics have always used the evaluation of writing styles to identify authors. See [http://www.sciencedaily.com/releases/2011/03/110308124758.htm this article]. Frequent posts from the same author allow evaluation of writing patterns. One way to get around this is to use a translation service. Translate a message into another language, then translate the result back into the original language. This introduces random errors, making the writing style less consistently recognisable. (Be careful to use Tor when using [http://translate.google.com Google Tranlate] or other online services, of course, since Google and others use extensive tracking mechanisms.)


== Using an SMTP server ==
* You can easily send anonymous emails with your own SMTP server. This is how spammers and other malevolent Internet users accomplish it. See [http://tipsfromgeek.com/2008/03/send-anonymous-emails.html this article] for an example. Spammers suck, though. Heck, beating spam is the purpose of much of this page, isn't it? Why contribute to it?

Anonymous email

Perspectoff — Mon, 29 Apr 2013 17:44:08 GMT

Perspectoff: /* Long-term anonymous email accounts */

__TOC__

== Long-term anonymous email accounts ==
Sometimes you just want a truly anonymous email account. Spammers already know how to do this -- why shouldn't you? The information below is largely from this [http://advocacy.globalvoicesonline.org/projects/guide/#email Global Voices Online article].

* Set up Tor and run it. For truly anonymous access, run as a Tor relay.

* With Tor running and your Torbutton on (I assume you're running Firefox with Noscript for blocking scripts), access the TorMail hidden service at http://jhiwjjlqpyawmpjx.onion/ . Create a free email account there. This account will be used only as your "verification email" account. 
:* [https://lavabit.com Lavabit.com] has a very good free email service that is similar and also works with Tor.

* With Tor running and your Torbutton on (I assume you're running Firefox and [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|Noscript]] is blocking scripts), access the Fastmail web-based email service at https://www.fastmail.fm/. Sign up for a free email account there, using the previously established TorMail account as your verification email address.

* Voila! Now you have created an anonymous email account that is linked to another anonymous email account, all accomplished through the Tor network. That's pretty difficult to track, assuming you have the usual tracking mechanisms turned off (i.e. [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|no scripts]], routine [[Ubuntu_Precise_Privacy#Changing_a_MAC_address|MAC address changes]], using a [[Ubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|DNS server other than your own ISP's]], [[Ubuntu_Precise_Privacy#DNS_Servers_and_Search_engines|encrypted connections (https)]], and other routine security measures).

:* Current password crackers (such as [[Ubuntu_Precise_Privacy#Password_checker_and_enforcement|John the Ripper]]) can run through millions of passwords in a few hours (see [http://www.h-online.com/open/news/item/John-the-Ripper-now-able-to-crack-office-files-and-use-GPUs-1631901.html this H-open article]). A random password can be generated using a [[Ubuntu_Precise_Privacy#Passwords_and_file_authentication|random password generator]] and used for your email password. Such passwords can be used for "secret questions" if those are required by the email service, as well. (An anonymous user suggests that even the usernames for the "verification" email accounts can consist of a randomly generated set of characters -- good idea!)

:* It is relatively insecure to allow one email account to send passwords or password-reset links to a "verification" email account (such as the one set up at TorMail). If the "verification" email account were to become compromised, it would be trivial for the hacker to reset the password at the (main) Fastmail email account. Furthermore, it is difficult to know who is running an email server in the first place, and it is wise to assume that the email on an email server (such as TorMail) can be examined by the owners of the email server. Of course, that's why you're using email through Tor in the first place -- for deniability in case the email server is compromised (and your email is intercepted).
::* A solution is to daisy-chain the verification email accounts. In such a scenario, the TorMail account is set up first. Then (for example) a [https://accounts.zoho.com/register?serviceurl=https://www.zoho.com/signup-redirect.html Zoho account] is set up using the TorMail account for verification. The nice thing about a Zoho account is that the user ID/password for the Zoho account (which is a SSO account for all the Zoho services) is different from the Zoho email username/ID. This adds a level of security. Zoho is Tor-permissive. Once a Zoho account and Zoho email account is set up, the Zoho email account is then used as the verification email for the Fastmail account.
::* Any or all of the "verification" email accounts (such as the original TorMail account) can then be deleted, leaving only the Fastmail account (and optionally the Zoho account) remaining. It should be noted that TorMail, Zoho, and Fastmail are all in different countries, which lends an added level of security.

Always use email through the Tor network or risk exposing your IP address(es). Always use an encrypted (https) connection as well, or risk exposing your data to a rogue Tor node. (All sensitive email should be encrypted using [[Ubuntu_Precise_Privacy#PGP_.28Message_Encryption.29|PGP]], of course, and never sent in cleartext.)

* Fastmail is a robust, high-bandwidth mail server (unlike TorMail) and is Tor-transparent (unlike Yahoo Mail and other free email services), nor does it have the high level of tracking mechanisms that GMail has. It also allows IMAP and SMTP through Tor (in case you desire to use it in that way).

* There are other Tor-permissive email services, however (including RiseUp.net). Want a review of the compatibility of other (free) email services with Tor? Then see this hidden service wiki (with Tor running and your Torbutton turned on): http://kpvz7ki2v5agwt35.onion/wiki/index.php/Email

* You could use the TorMail (and/or Zoho) account as your verification email account for a variety of services and if those services were available through Tor as well, you could be anonymous with them, too! However, once you use the TorMail (and/or Zoho) account for anything other than a verification email account, the chances of cross-correlation go up. I therefore recommend reserving a single TorMail (and/or Zoho) account for that purpose (i.e. as a verification account) only.

* Here's a moderated list of other Tor hidden services: http://nobody.zerodays.org/hidden-directory/

== Temporary non-anonymous email accounts ==
* Sometimes you just need a temporary email account just to sign up for some commenting system or something. Perhaps they send a "click this link to verify account" email, which is all you really need. Such emails need not be secure or private, since passwords and other identifying information is usually not sent in such messages.

:*[http://www.mailinator.com/ Mailinator] is the ideal solution for this type of temporary email account. It does not allow sending emails (and therefore is not apporpriate if you are trying to be a spammer), but it does allow you to receive one-time emails. You could use such an email account to receive a one-time message from some website (a coupon or something like that) which you know will generate endless spam in the future. With the temporary email account, you can "Let them eat spam!"

::*A random string of characters can be generated using a [[Ubuntu_Precise_Tips#Random_password_generator|random password generator]] and used as your email username. Mailinator allows a user ID up to 25 characters. (Mailinator can provide a random userID, as well.)

::*This is a great service, and the guy who runs it is very well-educated and amusing. Note that there is no privacy whatsoever with this service, except in the obscurity of your chosen email name. All messages to the temporary email box are deleted within a day.

::* Uh, yeah, of course you should access Mailinator through Tor, unless you particularly want your IP address to be identified with the temporary email account. The guy from Mailinator says he gets subpoena requests all the time. Stay protected. Use Tor when accessing Mailinator.

:* [http://www.spamgourmet.com/ Spamgourmet] is another service that allows temporary, discardable email addresses. It allows forwarding of up to three messages to another email account (perhaps your longterm anonymous email account?) so that you can give a Spamgourmet email address to some website, have their reply forwarded to your regular email account, and then not worry about the subsequent spam (after the first 3 messages) that inevitably follows. Spamgourmet discards anything after the first 3 messages.

== Anonymous blogging ==

* Now that you have an anonymous email account, why not set up an [https://en.wikipedia.org/wiki/Anonymous_blog anonymous blog]? I mean, are you any less reliable than a paid "journalist" that posts their poorly written nonsense on online newspapers? Here are some sites that allow anonymous blogs:

:* [http://www.blog.com/ Blog.com] allows free blogs.
:* [http://wordpress.com/ Wordpress] allows free blogs, but has a number of censorship rules and tends to remove sites quite quickly based on any complaint whatsoever. [http://www.dmoz.org/Computers/Internet/On_the_Web/Weblogs/Hosts/WordPress/Free/ Here] is a list of other hosts that allow free blogs using the Wordpress blogging software.
:* [http://www.blogger.com Blogger.com] was bought by Google and is available with a Google account. Anything hosted by Google must be assumed to be insecure, but for limited uses it may fit your needs.
:* [http://mashable.com/2007/08/06/free-blog-hosts/ Here] is a 2007 list of other free blog sites. I'm not sure how many are still functional.

* There have been several high-profile lawsuits of anonymous bloggers being sued after being tracked through their IP address using Java-based scripts or by Google Analytics. You are using [[Kubuntu:All#NoScript_plug-in_.28controls_scripts.29|NoScript]] to block Google Analytics and Java scripts, aren't you? Of course, I KNOW you are accessing your blog only through Tor... right? See the [http://advocacy.globalvoicesonline.org/projects/guide/ Global Voices Online] article regarding anonymous blogging (with Tor).

== Other considerations ==

* Traditonal forensics have always used the evaluation of writing styles to identify authors. See [http://www.sciencedaily.com/releases/2011/03/110308124758.htm this article]. Frequent posts from the same author allow evaluation of writing patterns. One way to get around this is to use a translation service. Translate a message into another language, then translate the result back into the original language. This introduces random errors, making the writing style less consistently recognisable. (Be careful to use Tor when using [http://translate.google.com Google Tranlate] or other online services, of course, since Google and others use extensive tracking mechanisms.)


== Using an SMTP server ==
* You can easily send anonymous emails with your own SMTP server. This is how spammers and other malevolent Internet users accomplish it. See [http://tipsfromgeek.com/2008/03/send-anonymous-emails.html this article] for an example. Spammers suck, though. Heck, beating spam is the purpose of much of this page, isn't it? Why contribute to it?

Template:K Precise/Privacy

Perspectoff — Mon, 29 Apr 2013 17:34:45 GMT

Perspectoff: /* Web browsing */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu_Precise_Internet#Enigmail|Enigmail]] add-on for the [[Kubuntu_Precise_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu_Precise_Internet#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Precise_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Quantal/Privacy

Perspectoff — Mon, 29 Apr 2013 17:33:19 GMT

Perspectoff: /* Web browsing */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu_Quantal_Internet#Enigmail|Enigmail]] add-on for the [[Kubuntu_Quantal_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu_Quantal_Internet#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu_Quantal_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Quantal_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Raring/Privacy

Perspectoff — Mon, 29 Apr 2013 17:32:00 GMT

Perspectoff: /* Web browsing */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu_Raring_Internet#Enigmail|Enigmail]] add-on for the [[Kubuntu_Raring_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu_Raring_Internet#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu_Raring_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Raring_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Precise/Privacy

Perspectoff — Mon, 29 Apr 2013 17:23:00 GMT

Perspectoff: /* Enigmail with Thunderbird */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu_Precise_Internet#Enigmail|Enigmail]] add-on for the [[Kubuntu_Precise_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu:Precise#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu:Precise#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Precise_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Quantal/Privacy

Perspectoff — Mon, 29 Apr 2013 17:22:00 GMT

Perspectoff: /* Enigmail with Thunderbird */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu_Quantal_Internet#Enigmail|Enigmail]] add-on for the [[Kubuntu_Quantal_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu:Quantal#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu:Quantal#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Quantal_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Raring/Privacy

Perspectoff — Mon, 29 Apr 2013 17:20:35 GMT

Perspectoff:

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu_Raring_Internet#Enigmail|Enigmail]] add-on for the [[Kubuntu_Raring_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu:Raring#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu:Raring#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Raring_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:U Raring/Privacy

Perspectoff — Sun, 28 Apr 2013 05:23:24 GMT

Perspectoff: /* DNS Servers and Search engines */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

=== PGP (Message Encryption) ===
[http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] (OpenPGP and [http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG]) is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it.

==== Enigmail with Thunderbird ====
By far the easiest method for encrypting email is using the [[Ubuntu_Raring_Internet#Enigmail|Enigmail]] add-on for the [[Ubuntu_Raring_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

==== Seahorse ====
[http://projects.gnome.org/seahorse/ Seahorse] is the GUI for Gnome to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It can also manage your [[#SSH|SSH]] keys. For more info see [http://ubuntu-tutorials.com/2007/08/14/privacy-and-encryption-with-pgp-signing-and-encrypting-email-files/ this tutorial]. Run:
:Menu -> Applications -> Accessories --> Passwords and Encryption Keys

=== Web browsing ===
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Ubuntu_Raring_Internet#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Ubuntu_Raring_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

=== Tor (Network Privacy) ===
[http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

==== Vidalia (Tor interface) ====
[https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

==== Using Tor with Firefox ====
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

===== Torbutton (Firefox plug-in) =====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

=== DNS Servers and Search engines ===
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. It can be used with your Torbutton turned on.

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

=== Changing a MAC address ===
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

=== Certificate verification ===
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Ubuntu_Raring_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:U Quantal/Privacy

Perspectoff — Sun, 28 Apr 2013 05:22:35 GMT

Perspectoff: /* DNS Servers and Search engines */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

=== PGP (Message Encryption) ===
[http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] (OpenPGP and [http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG]) is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it.

==== Enigmail with Thunderbird ====
By far the easiest method for encrypting email is using the [[Ubuntu_Quantal_Internet#Enigmail|Enigmail]] add-on for the [[Ubuntu_Quantal_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

==== Seahorse ====
[http://projects.gnome.org/seahorse/ Seahorse] is the GUI for Gnome to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It can also manage your [[#SSH|SSH]] keys. For more info see [http://ubuntu-tutorials.com/2007/08/14/privacy-and-encryption-with-pgp-signing-and-encrypting-email-files/ this tutorial]. Run:
:Menu -> Applications -> Accessories --> Passwords and Encryption Keys

=== Web browsing ===
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Ubuntu_Quantal_Internet#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Ubuntu_Quantal_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

=== Tor (Network Privacy) ===
[http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

==== Vidalia (Tor interface) ====
[https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

==== Using Tor with Firefox ====
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

===== Torbutton (Firefox plug-in) =====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

=== DNS Servers and Search engines ===
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. It can be used with your Torbutton turned on.

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

=== Changing a MAC address ===
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

=== Certificate verification ===
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Ubuntu_Quantal_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:U Precise/Privacy

Perspectoff — Sun, 28 Apr 2013 05:17:21 GMT

Perspectoff: /* DNS Servers and Search engines */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

=== PGP (Message Encryption) ===
[http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP] (OpenPGP and [http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG]) is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it.

==== Enigmail with Thunderbird ====
By far the easiest method for encrypting email is using the [[Ubuntu_Precise_Internet#Enigmail|Enigmail]] add-on for the [[Ubuntu_Precise_Internet#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

==== Seahorse ====
[http://projects.gnome.org/seahorse/ Seahorse] is the GUI for Gnome to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It can also manage your [[#SSH|SSH]] keys. For more info see [http://ubuntu-tutorials.com/2007/08/14/privacy-and-encryption-with-pgp-signing-and-encrypting-email-files/ this tutorial]. Run:
:Menu -> Applications -> Accessories --> Passwords and Encryption Keys

=== Web browsing ===
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Ubuntu_Precise_Internet#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Ubuntu_Precise_Internet#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

=== Tor (Network Privacy) ===
[http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

==== Vidalia (Tor interface) ====
[https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

==== Using Tor with Firefox ====
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

===== Torbutton (Firefox plug-in) =====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

=== DNS Servers and Search engines ===
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. It can be used with your Torbutton turned on.

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

=== Changing a MAC address ===
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

=== Certificate verification ===
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Ubuntu_Precise_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Precise/Privacy

Perspectoff — Sun, 28 Apr 2013 05:16:10 GMT

Perspectoff: /* DNS Servers and Search engines */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu:Precise#Enigmail|Enigmail]] add-on for the [[Kubuntu:Precise#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu:Precise#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu:Precise#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Precise_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Quantal/Privacy

Perspectoff — Sun, 28 Apr 2013 05:15:00 GMT

Perspectoff: /* DNS Servers and Search engines */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu:Quantal#Enigmail|Enigmail]] add-on for the [[Kubuntu:Quantal#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu:Quantal#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu:Quantal#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Quantal_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:K Raring/Privacy

Perspectoff — Sun, 28 Apr 2013 05:14:24 GMT

Perspectoff: /* DNS Servers and Search engines */

= Privacy =
An interesting perspective on Internet privacy techniques can be found [http://farid.hajji.name/blog/2009/06/20/circumventing-internet-censorship/ here].

== PGP (Message Encryption) ==
[http://en.wikipedia.org/wiki/GNU_Privacy_Guard GnuPG] is the free open source implementation of the OpenPGP standard for [http://en.wikipedia.org/wiki/Pretty_Good_Privacy PGP]. It is a tool to encrypt your messages (such as email) to be unlocked only by someone who has a key to unlock it. While gpg is the default OpenPGP tool for command-line usage, gpg2 is the utility generally used by GUI frontends.

=== Enigmail with Thunderbird ===
[[File:Prefapp1.png|18 px]] By far the easiest method for encrypting email is using the [[Kubuntu:Raring#Enigmail|Enigmail]] add-on for the [[Kubuntu:Raring#Thunderbird|Thunderbird]] email client. It creates PGP key pairs, stores and retrieves keys from keyrings, and encrypts and decrypts messages automatically.

=== Kleopatra (Cryptography and Certificate Manager) ===
[http://www.kde.org/applications/utilities/kleopatra/ Kleopatra] is a certificate manager and a universal crypto GUI for KDE. It supports managing X.509 and OpenPGP certificates in the GpgSM keybox and retrieving certificates from LDAP servers. Install:
sudo apt-get install kleopatra

* Create a new OpenPGP keypair:
:K menu -> Utilities -> Kleopatra -> File -> New Certificate... -> Create a personal OpenPGP key pair

=== KGPG ===
[http://utils.kde.org/projects/kgpg/ KGpg] is the GUI for KDE to manage the key pairs and other options of [http://www.gnupg.org/ GnuPG]. It has fewer options than Kleopatra. Install:
sudo apt-get install kgpg

=== PGP Troubleshooting ===
If KGPG or Kleopatra gives an error, it is because of a problem with settings in the gpg.conf configuration file ( ~/.gnupg/gpg.conf). Edit the file (using either ~/ or /home/''user''/ ):
kate /home/''user''/.gnupg/gpg.conf

Comment out the two lines at the bottom:
#debug-level basic
#log-file socket:///home/''user''/.gnupg/log-socket

== Web browsing ==
Web tracking, scripts, and advertisements are extremely intrusive on the Internet. A dossier of your online habits is created by a multitude of services, including every major portal such as Google and Yahoo, as well as a variety of tracking services on the Internet. This is accomplished through the use of the "cookies" in your browser and by a variety of web elements (sometimes called "web beacons") embedded on the web pages you visit. Your behavior is monitored and correlated by recording the IP address of your computer, even when you turn off the cookies in your browser. Still, it is highly recommended to configure your web browser to erase your [http://support.mozilla.org/en-US/kb/Cookies cookies] and history every time the web browser is closed; otherwise, every website you subsequently visit can instantly see the long list of recent websites you have visited. In Firefox, for example, cookies can be accepted for the current session but erased upon closing:
:Firefox -> Edit -> Preferences -> Privacy -> History -> Firefox will: ''Use custom settings for history''
:-> ''Always use private browsing mode'' (or customise the settings to your desired level of privacy)
* In addition, both [[Kubuntu:Raring#Adblock_Plus_plug-in_.28block_ads_in_a_web_page.29|Adblock Plus]] and [[Kubuntu:Raring#NoScript_plug-in_.28controls_scripts.29|NoScript]] are highly recommended as plug-ins for Firefox (and other Gecko-based browsers) to limit exposure to undesirable web elements, scripts, and tracking mechanisms.

== Tor (Network privacy) ==
[[File:Prefapp1.png|18 px]] [http://www.torproject.org/ Tor] is a project to allow privacy while using the Internet and to limit usage tracking. It routes your traffic through several anonymous nodes, so that your usage appears to come from an IP other than your own. (There are always risks when using the Internet that even Tor can not help with, though. Read [http://www.torproject.org/download.html.en#Warning this].) Using Tor can slow down your Internet usage significantly, depending on how much traffic is being passed through the Tor network (routine file-sharing or large downloads will also significantly reduce performance of the Tor network.)


* Install Tor by following the instructions [https://www.torproject.org/docs/debian here]. Note that the instructions require port 11371 on your firewall to be open to use the gpg keyserver (and download the key for the debian package). Then see the [http://www.torproject.org/docs/tor-doc-unix.html Tor installation guide] for details.

* By default Tor (once it is running) acts as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy] on port 9050. To send traffic from any application through Tor, configure the settings of that application to use a socks5 proxy on port 9050.

* Also see these additional [[Tor|tips]].

=== Vidalia (Tor interface) ===
[[File:Prefapp1.png|18 px]] [https://www.torproject.org/projects/vidalia.html Vidalia] is the recommended Qt4-based GUI frontend for Tor. If not installed with Tor, install:
sudo apt-get install vidalia

=== Tork (KDE Tor interface) ===
[http://sourceforge.net/projects/tork/ TorK] is a KDE interface for Tor that relied on the older Qt3 platform. It is no longer included in the (K)Ubuntu repositories. However, if desired it can be installed (along with the older Qt3 libraries). See [[Tor#Tork_.28KDE_Tor_interface.29|this section]].

=== Using Tor with Firefox ===
[[File:Prefapp1.png|18 px]] Recent versions of Firefox allow direct use of Tor as a [https://en.wikipedia.org/wiki/SOCKS Socks5 proxy], both for traffic and DNS resolution. See [[Tor#Using_Tor_with_Firefox|this section]] for information on configuring this.

==== Torbutton (Firefox plug-in) ====
* Once Tor is installed and running properly, [https://www.torproject.org/torbutton/ Torbutton] allows you to choose whether to use Firefox through the Tor anonymizing network or not. Torbutton only works with older (non-updated) versions of Firefox or with modified versions of Firefox found in the [[Tor#Tor_Browser_Bundle|Tor Browser Bundle]]. Newer versions of Firefox may refuse to start if Torbutton is installed. See [[Tor#Torbutton_(Firefox_plug-in)|this section]] for more details.

== DNS Servers and Search engines ==
* Most users rely on the [http://en.wikipedia.org/wiki/Domain_Name_System DNS] server of their ISP (Internet Service Provider). DNS queries can be recorded, however, and theoretically correlated by an ISP to the data traffic to/from a user's IP address serviced by that ISP. A somewhat less trackable solution is to use a DNS service that does not belong to your ISP. This can belong to another commercial ISP or to a third party service such as [http://www.opendns.com/ OpenDNS], [http://www.comodo.com/secure-dns/ Comodo], [http://www.scrubit.com/ ScrubIT], [http://code.google.com/speed/public-dns/ Google] (though slightly less secure due to Google's own tracking mechanisms), another [http://theos.in/windows-xp/free-fast-public-dns-server-list/ free DNS service], or (for maximum security) a publicly-available [http://portforward.com/networking/dns.htm international DNS server]. For example, a Verizon customer could use the [http://www.whatsmydns.net/dns/usa/att.html AT&T DNS servers] or the OpenDNS servers. An AT&T customer could use one of the [http://www.dslreports.com/faq/1591 Verizon servers] or the Google servers. It is important to use a reliable DNS provider, however, as [http://en.wikipedia.org/wiki/Man-in-the-middle_attack man-in-the-middle DNS redirection] and [http://en.wikipedia.org/wiki/DNS_cache_poisoning DNS cache poisoning] attacks are increasingly common. Stick to one of the major DNS services (just not your own ISP's DNS service). It is important to note that starting Feburary 25, 2013, 5 major ISPs (Internet Service Providers) in the US (Comcast, Verizon, AT&T, Time Warner Cable, and Cablevision) have agreed to IP address recording and reporting (to the [https://en.wikipedia.org/wiki/Center_for_Copyright_Information CCI]) on behalf of the [https://en.wikipedia.org/wiki/Motion_Picture_Association_of_America MPAA] and [https://en.wikipedia.org/wiki/Recording_Industry_Association_of_America RIAA]. If using one of these ISPs, take extra efforts to ensure your privacy.

The DNS server setting can be changed in the router's settings (recommended) or individually for each computer. If changing on an individual computer, use the Network Manager or Wicd settings, or if using a static IP address with manually configured settings, add a line to /etc/network/interfaces with a list of the desired dns-nameservers at the end of the iface stanza so that the file resembles:

auto eth0
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
dns-nameservers 8.26.56.26 208.67.222.222 8.20.247.20 208.67.220.220 8.8.8.8 8.8.4.4

* Many search engines track your search requests (notably Google, Bing, and Yahoo) and keep logs of the searches they receive from your IP address. [https://duckduckgo.com DuckDuckGo.com] is a filtered search engine that has made its reputation not only by promising not to track searches, but also by providing a secure (encrypted), Tor-capable and anonymized search portal. Point your browser to https://duckduckgo.com. (It can be used with your Torbutton turned on.)

* Many censorship/filtering/tracking techniques (that use [https://secure.wikimedia.org/wikipedia/en/wiki/Deep_packet_inspection deep packet inspection]) cannot be used with secure ([https://secure.wikimedia.org/wikipedia/en/wiki/Transport_Layer_Security SSL/TLS] encrypted) websites (denoted by ''[https://secure.wikimedia.org/wikipedia/en/wiki/HTTP_Secure <nowiki>https://</nowiki>]'' ). Use them whenever possible. For example, use the [https://secure.wikimedia.org/ secure Wikimedia portal] for Wikipedia (and other Wikimedia services) instead of the insecure portal(s).

* Many websites keep logs of referring http headers (which can be correlated with cookies to track your browsing activities). To turn off the passage of referral headers in Firefox, see [http://cafe.elharo.com/privacy/privacy-tip-3-block-referer-headers-in-firefox/ this info].

== Changing a MAC address ==
The MAC address of your network interface card is the "fingerprint" of your network connection. It is not possible to hide the MAC address and most tracking methods now use the MAC address to record user habits. To combat this, it is possible to change ("spoof") your apparent MAC address using software. It is important to remember, however, that it is generally the MAC address of the router (not computers on a LAN) which is displayed to the Internet. If you change the MAC of your computer but not the MAC of your router, you will gain nothing. Be sure to change both frequently (but most importantly that of the router).

* It is possible to set the MAC address to a random selection in the Network Manager configuration:
:Network Manager -> Manage Connections... -> ''connection'' -> Edit... -> Ethernet -> Cloned MAC Address -> Random -> Ok

* [http://www.alobbs.com/macchanger Macchanger] is a utility to change a MAC address. Install:
suod apt-get install macchanger

== Certificate verification ==
* [http://en.wikipedia.org/wiki/Certificate_authority Certificate authorities] charge a fee to store and verify [http://en.wikipedia.org/wiki/Public_key_certificate certificates]. However, many websites use [http://en.wikipedia.org/wiki/Self-signed_certificate self-signed certificates] that are not registered with any certifying authority. A free system of certificate "network notaries" has emerged called [http://perspectives-project.org/ Perspectives]. A certificate's validity (even if self-signed) can be checked using a [https://addons.mozilla.org/en-US/firefox/addon/perspectives/ Firefox plugin]. For more info see [http://www.dedoimedo.com/computers/firefox-perspectives.html this article].

* [https://secure.wikimedia.org/wikipedia/en/wiki/CAcert.org CAcert.org] is a free certifying authority that maintains weak certificates that are recognized by many open source operating systems, but not by Firefox or most browsers. (For browsers that do not include CAcert.org recognition, certificates appear to be self-signed certificates.) While Debian incorporates CACert.org's root certificate by default, Ubuntu derivatives do not ([https://secure.wikimedia.org/wikipedia/en/wiki/Canonical_Ltd. Canonical] was originally founded with funds earned from [https://secure.wikimedia.org/wikipedia/en/wiki/Thawte Thawte], a certifying authority founded by [https://secure.wikimedia.org/wikipedia/en/wiki/Mark_Shuttleworth Mark Shuttleworth].)

== Passwords and file authentication ==
* See this excellent article at H-Online about [http://www.h-online.com/security/features/Password-protection-for-everyone-1795647.html password protection for everyone].

=== Random password generator ===
* Pwgen is a command line utility to generate a block of random 8-digit alphanumeric passwords. Run it from Konsole (in Kubuntu) or Terminal (in Ubuntu). Install:
sudo apt-get install pwgen
:* Run pwgen:
pwgen

* UUIDgen is a default utility to generate a random UUID (using only [http://en.wikipedia.org/wiki/Hexadecimal hex-digits]). Run:
uuidgen

The random UUID can also be used as a 32-digit password, if desired.

=== Password checker and enforcement ===
[http://www.openwall.com/john/ John the Ripper] is a free open source password cracker that uses a dictionary of over 4 million commonly used passwords in many languages. Because this tool is widely available, it is useful for scanning and securing your own LAN and computers for password strength. Install:
sudo apt-get install john

* [http://www.openwall.com/passwdqc/ Passwdqc] is a module to enforce password strength. Install:
sudo apt-get install passwdqc

=== MD5Sum ===
To check the MD5 sum of a file, use this command in the command line:
md5sum ''filename''

== File archival and encryption ==
''Under construction''

=== Archives with Passwords ===
* See [[Kubuntu_Raring_Utilities#Archiving_Utilities|this section]].

== Disk and Storage Encryption ==
''Under construction''
* See the [http://help.ubuntu.com/community/FullDiskEncryptionHowto Ubuntu Community documentation] for methods of full disk encryption.
* See the [http://help.ubuntu.com/community/EncryptedFilesystems Ubuntu Community documentation] for methods of filesystem encryption.

Template:Video Conversion

Perspectoff — Sat, 27 Apr 2013 21:13:22 GMT

Perspectoff: /* Create a commercial (.vob) format DVD */

= Video Conversion =
This guide does not advocate the illegal duplication of copyrighted content. However, fewer and fewer devices use DVDs any longer, and a large amount of video content is distributed on DVDs. It becomes necessary to convert video content into formats that can be viewed on devices that no longer used DVDs. Furthermore, online content is often in a format that is not universally playable and this also requires conversion. Trying to select and encode a video into a format which your device accepts is not always a straightforward task.

== Introduction ==
There are lots of video and audio codecs and lots of methods and preferences for converting between formats. These are only some basic examples. A good deal of trial and error is often required for successful video conversion.

* Mencoder and FFMPEG are the two packages that are the workhorses of video conversion. Of these, mencoder is faster and generally gives better results.

* [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]] uses a streaming algorithm and FFMPEG to "rip" DVDs and can work with many different encryption methods. It uses the (superior, open source) [http://en.wikipedia.org/wiki/Matroska .MKV] container only, however (which is not supported by many devices). It also does not support [http://en.wikipedia.org/wiki/Xvid XVID] (and uses either [http://en.wikipedia.org/wiki/X264 X264/H.264] or [http://en.wikipedia.org/wiki/MPEG-4_Part_14 MP4] video codecs) and therefore its video output is also not universally accepted by a wide range of devices. As these standards become more widely accepted, however, this will be an invaluable encoding tool. On rare occasions I rip a video with Handbrake (to .MKV and H.264/MP3) and then convert it to .AVI (XVID/MP3) in a second step (using mencoder).

* When I originally wrote these articles, .MKV was accommodated by only a handful of DVD players. A recent survey of new DVD players shows that most (including widely available inexpensive DVD players) will now play files in .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. However, over the years I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at Best Buy for $40). I highly recommend this player if you find yourself with a large collection of .AVI / XVID video files.

== Mencoder ==
[http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html Mencoder] is part of the [http://www.mplayerhq.hu/DOCS/HTML/en/index.html MPlayer] set of libraries (that also uses several of the FFMPEG libraries) for audio/visual conversion. If it is not installed on your system, install it:
sudo apt-get install mencoder

Usage instructions can be found from the command-line (''man mencoder'') or [http://linux.die.net/man/1/mencoder here].

=== MP4 with AAC audio to AVI with Xvid / MP3 ===
* The [http://en.wikipedia.org/wiki/Advanced_Audio_Coding#Licensing_and_patents AAC audio codec] is not compatible with many DVD players and devices due to licensing restrictions, whereas the MP3 audio codec is nearly universally accepted. Xvid is the open source version of the DivX video codec and is accepted by a very large number of DVD players and other devices (even older ones, especially those displaying the DivX logo).

* The [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container only allows a [http://en.wikipedia.org/wiki/Constant_bitrate constant bitrate], so the MP3 audio must be encoded at CBR. If the AAC is [http://en.wikipedia.org/wiki/5.1_surround_sound 5.1], it will be downcoded to stereo for MP3.

* This example is a two-pass technique that allows the file size to be specified and quality optimized for that filesize (using the information generated in the first pass). In this example, a 700 MB file is desired (and is specified by the negative value).

This information is from [http://en.gentoo-wiki.com/wiki/HOWTO_Mencoder_Introduction_Guide#XviD the Gentoo Wiki for Xvid and mencoder].

mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

=== Remove MKV subtitles and convert to AVI (XVID/MP3) ===
Mastroska container ([http://en.wikipedia.org/wiki/Matroska .MKV]) video files can have multiple subtitles included. In the default conversion from an .MKV container format to an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container format, the default subtitle file of the .MKV container is automatically hardcoded into the converted .AVI file, which may be undesirable. To overcome this behaviour (so that the converted .AVI has no subtitles), use the ''-sid 999'' option:

mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=1 -o /dev/null
mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

* To hardcode one of the subtitle tracks onto the .AVI video from the .MKV video, choose the subtrack ID, such as ''-sid 0'' or ''-sid 1''.

* If using NTFS and the error

Too many audio packets in the buffer: (4096 in 837540 bytes).
> Maybe you are playing a non-interleaved stream/file or the codec
> failed? For AVI files, try to force non-interleaved mode with the
> -ni option.

appears, then add these options:
-mc 0 -ofps 24000/1001 -noskip

=== DVD to AVI with Xvid / MP3 ===
* See the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-dvd-mpeg4.html mencoder documentation].
* Extract a video (in the .vob format) from a DVD to a file with an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container and [http://en.wikipedia.org/wiki/Xvid XVID]/DivX video and [http://en.wikipedia.org/wiki/LAME .MP3] audio using this (2-pass conversion) command:
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

where dvd://''1'' indicates the first track of the DVD. If you are not sure which track contains the content you wish to extract to a file, one way to check this is to play the DVD with a media player like VLC, examining the tracks on it:
:VLC -> Media -> Open Disc... -> Play -> Playback -> Navigation

or from the command line install lsdvd (''sudo apt-get install lsdvd'') and use it:
lsdvd -v -t 1 /dev/dvd

This will show a list of the title numbers (for the content tracks) on the DVD (and information about them). Use the title number for the content to be extracted.

* Conversion is much faster when done from from a hard drive than from a physical DVD. It is possible to copy the VIDEO_TS and AUDIO_TS folders from the physical DVD to a folder on the hard drive. Once you have copied the contents of the DVD to a folder, add the ''-dvd-device /path/to/dvd_folder'' option to specify it (with the same options as above in addition to the new one):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder''

* Note the ''-vobsub 999'' option to prevent subtitles from being automatically added. (If you wish to hardcode subtitles, use the number of the subtitle track, such as ''-sid 0'' or ''-vobsubid 0'' for the default subtitle track or ''-sid 1'' or ''-vobsubid 1'' for the next subtitle track.)

* Other options for video cropping and scaling can be used. See [http://www.axllent.org/docs/video/mencoder_dvd_to_mpeg4 these hints] and [http://savvyadmin.com/tag/xvid/ these tips], as well as [[#Resize_a_video|this section]].

* When better audio quality is desired, an audio [http://en.wikipedia.org/wiki/Bit_rate bitrate] more than 128 kb/sec can be used (e.g. ''br=160'' or ''br=192''), but this will give a larger file (or will decrease video quality if the filesize remains constant). cbr (constant bitrate) is used for mp3lame encoding in .AVI; I generally increase the volume of the video by 30% using the vol=3 option, as well. My final audio command therefore usually ends up: ''-oac mp3lame -lameopts cbr:br=128:vol=3''.

* If there are multiple audio tracks, the audio track can be selected with the ''-aid 1'' (or similar) option, specifying the number of the desired audio track. (Note: check audio track numbering carefully.) The English default audio track is usually ''-aid 128''. To show information about the audio tracks, use
lsdvd -a -t 1 /dev/dvd

* Although the ''bitrate=-700000'' option specifies a target file size of 700000 (approx. 700 MB), this actually results in a file size of nearly 800 MB. Specify a target filesize about 15% less than actually desired, therefore. For a target 700 Mb file, for example, I use ''bitrate=-620000''.

* For XVID there is an option to allow video seeking (for fast forwarding or rewinding) in 1 second increments (instead of the default 10 second increments): ''-xvidencopts max_key_interval=25'' (seek every 25 frames instead of the default 250 frames). This would be included as part of a more complex option string, such as ''-xvidencopts pass=2:max_key_interval=25:bitrate=-620000''.

* In order to play the converted .AVI file on my older DVD players and televisions (and avoid significant motion artifacts and pixelation), I find that I must use deinterlacing. Only two interlacing methods have worked well for me: ''-vf pp=lb'' or ''-vf yadif=0''. There are many methods of deinterlacing for mencoder, however (see [http://guru.multimedia.cx/deinterlacing-filters/ here] and [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html here], for example). Deinterlacing may not be necessary for your needs (when used for archival purposes only, for example, or if viewing files with media players (such as VLC) that already have built-in deinterlacing capabilities). Often recommended when ripping NTSC-format movies (progressive or telecined) is to include the option ''-vf pullup,softskip,harddup'', which must be used with a deinterlacing filter, such as ''-vf pullup,softskip,pp=lb,harddup'' (or ''-vf pullup,softskip,yadif=0,harddup''). The order of the telecine/progressive option, the deinterlacing option, and any cropping or scaling options is very specific -- read the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html#menc-feat-telecine-encode mencoder documentation] carefully when mixing these options. Specifically, cropping and scaling (when used) should be done after the telecine/progressive/deinterlacing options but before the frame duplication option, e.g. ''-vf pullup,softskip,pp=lb,crop=720:416:0:80,scale=704:304,harddup''.

* Note: You will need [[Kubuntu_Precise_Audio_Video_Conversion#libdvdcss|libdvdcss2]] installed on your system to access DVD data. If your DVD has encryption that is not able to be decrypted by libdvdcss, then consider using [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]], which uses a streaming algorithm to "rip" DVDs.

* This is the 2-pass command I end up using most often (with 4:3 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

* This is the 2-pass command I end up using most often (with 16:9 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

:The scale option is set so that I can play the video on analogue televisions with overscan (I still have a few of those). However, an alternative is to use ''scale=720:406'' for use on most widescreen TVs.

==== Using k9copy as a conversion front-end ====
* [[Kubuntu_Precise_Audio_Video_Conversion#K9copy_.28DVD_Ripper.29|k9copy]] is a good front-end for mencoder (as well as ffmpeg).
* To add an option to encode to XVID from an NTSC DVD (when using mencoder within k9copy), I add the necessary options to the Video codecs section:
:k9copy -> Configure k9copy -> Encoders -> ''mencoder'' -> Add -> label: ''XVID from NTSC'' -> first pass ->
-ovc xvid -xvidencopts bitrate=$VIDBR:turbo:pass=$PASS:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

The same command is entered for the "second pass" option as well. For the "one pass" option enter:
-ovc xvid -xvidencopts bitrate=$VIDBR:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

* To then use this new Video codec option, make sure it is selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Video -> Codec -> ''XVID from NTSC'' -> 2 pass (''ticked'') -> Apply

At the same time, the MP3 (lame) Audio codec option can be selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Audio -> Codec -> ''mp3 (lame)'' -> OK

* Now when the Output: ''MPEG-4 encoding'' is selected from the main screen, this "XVID from NTSC" Video encoding option will be used.

* Note that the ''-vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup'' option can be used with any Video codec, not just XVID.

=== AVI to MPG ===
* The MPG format is sometimes useful for creating DVDs (using the [http://en.wikipedia.org/wiki/MPEG-1 MPEG-1] or [http://en.wikipedia.org/wiki/MPEG-2 MPEG-2] video codec, which can be then used for vob files using [[Ubuntu:All#DVD_Author|QDVDAuthor]] or [[Ubuntu:All#ToVid|ToVid]]). If the audio codec of the AVI file is already AC3 or MP3, it usually can be copied. This example is take from the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-mpeg.html MPlayer/Mencoder documentation]. Example:

mencoder <input.avi> -of mpeg -ovc lavc -lavcopts vcodec=mpeg1video -oac copy -o <output.mpg>

=== Increase volume ===

* Use the ''-af volume=3:0'' option, where the first number (3 in the example) is the number of decibels to increment the volume (a 3 db increment doubles the volume), and the second number is 0 for hard-clipping and 1 to allow software-based clipping (to prevent oversaturation when the sound becomes too loud).

For example, if I want to double the sound volume of my .AVI video:

mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128 -af volume=3:0 -o <output.avi>

* This can also be done when encoding to the mp3lame audio codec by adding an option to the mp3lame options:
mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128:vol=3 -o <output.avi>

:where ''vol=3'' can be set to any value between -10 and 10. I use ''vol=3'' to increase the volume 30%. (This method works best for me.)

=== Add subtitles to video ===
* [http://en.wikipedia.org/wiki/SubRip .srt] subtitle files are essentially text files with time stamps. They are meant to be used with digital video files (such as .AVI files) and are different from the image-based .idx / .sub subtitle files (vobsub) used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs.

* Using mencoder:
mencoder -ovc [codec] [codec opts] -oac copy -sub [sub file.srt] -subfont-text-scale [3 normally]

In the example above, this would be:
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

*Note: When adding subtitles to an .AVI video, you must transcode it completely. It is not sufficient to merely add the subtitle track as listed above -- the entire video must be re-transcoded. So, for example:

mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

=== Trim a video ===
*Using mencoder:

mencoder <input.avi> -ovc copy -oac mp3lame -ss 01:57:12 -endpos 00:04:08 -o <output.avi>

where -ss indicates the start position of the clip (hh:mm:ss) and -endpos indicates how long the clip should be. (I use mp3lame for the audio codec because YouTube accepts that.)

=== Resize a video ===
*Using mencoder:
mencoder <input.avi> -ovc xvid -vf scale=320:240 -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

where -vf scale=320x240 indicates that the resulting video should be of that size. The position of the suboption in the command string is important.

* [http://en.wikipedia.org/wiki/High-definition_television HDTV] resolution is usually 1920 x 1080 ("1080p") or 1280 x 720 ("720p"). A [http://en.wikipedia.org/wiki/Standard-definition_television standard definition] widescreen TV has a maximum height of "480p" (usually 853 x 480 but sometimes 720 x 406). The standard width:height [http://en.wikipedia.org/wiki/Aspect_ratio_%28image%29 aspect ratio] for cinema is 1.85:1, whereas the average aspect ratio for widescreen movies distributed for display on television is 16:9 (1.78:1). When resizing a video, it is good to know the original dimensions of the video and maintain the width to height aspect ratio in the chosen scale.

:*Example: A video is distributed as 1280 x 692 (which has an aspect ratio of 1.85:1). The device (a low resolution television) on which it is to be displayed has a maximum width of 720. The desired resolution would then be 720 x 390 to keep the aspect ratio at approximately 1.85:1. The option would then be ''-vf scale=720:390''. An analog television would require 10% [http://en.wikipedia.org/wiki/Overscan overscan], making the maximum width 648. To keep an aspect ratio of 1.85:1 would require a resolution of 648 x 350, or a scale option of ''-vf scale=648:350''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on a television with a maximum width of 720p, which would require a final resolution of 720 x 406 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=720:406''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on an analogue television with 10% [http://en.wikipedia.org/wiki/Overscan overscan], which would require a final resolution of 648 x 364 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=648:364''.

* [http://en.wikipedia.org/wiki/Standard-definition_television "Standard" definition] [http://en.wikipedia.org/wiki/Analog_television analog television] has a 4:3 ratio, for which a scale of 640:480 (''-vf scale=640:480'') is generally preferable.

=== Convert to .MP3 audio file ===
* I find [[#Convert_to_.MP3_audio_file_using_FFMPEG|FFMPEG]] to be easier for this task.

* (''Under construction'') To use Mplayer to extract audio to pcm .wav file:
mplayer <input.avi> -vc null -oa pcm -aofile -ss 1441.4 -endpos 260.1 <output.wav>

*Then convert the .wav file to .mp3 with your favourite converter (such as SoundConverter).

=== Change audio track of video ===
* In general, [[All#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a good video editor for most needs, including muxing and demuxing video and audio.

* For a quick method to change the audio for a video, I like to merely remove the audio from the original video file using the ''-nosound'' option, for example:

mencoder <input.avi> -ovc copy -nosound -o <outputnosound.avi>

* Then, I add a new audio file as the audio track to the video using the ''-audiofile'' option. For example, if I now want to add an .mp3 audio track named <newaudio.mp3>, I would use the command:

mencoder <outputnosound.avi> -ovc copy -oac mp3lame -audiofile <newaudio.mp3> -o <output.avi>

== FFMPEG ==
[http://ffmpeg.org/ FFMPEG] is the swiss-army knife of video and audio format conversion. It succeeds when no other program can. It is free and open source. If it not yet installed on your system as part of another package (it is used by many video/audio editors), then install it:
sudo apt-get install ffmpeg

*To convert many different formats, read the [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html FFMPEG documentation]. Also see [http://howto-pages.org/ffmpeg/ this tutorial].

=== Flash video (.flv) to MPG-2 using FFMPEG ===
* To convert a saved Flash video (.flv) to an MPEG-2 format playable on a DVD, convert:
ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd ''samplevideo.mpg''

* Then use [[Kubuntu:Oneiric#K3b (CD/DVD burner)|K3b]] (or [[Ubuntu:Oneiric#Gnomebaker (CD/DVD burner)|Gnomebaker]]) to write the mpg file to a New DVD Data Project.

:*For PAL use -target pal-dvd. For widescreen, use -target film-dvd. For other conversion tips, see [http://ubuntuforums.org/archive/index.php/t-1006250.html this forum]. (Note: Most Flash video has very low resolution, with a screen size of 360x270, for example. You may see a slight diminishment in resolution if you wish to convert it to 720x480 (which is the NTSC standard size) or other screen size. You can keep the original screen size and resolution by omitting the -target parameter.) If your original file is 16:9 widescreen and you desire a 4:3 letterbox output for playing on an overscanned TV, you may need to pad the file so that the widescreen is not compressed (see [http://ubuntuforums.org/showthread.php?t=1010648 this forum]):

ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 ''samplevideo.mpg''

* You can also use the WinFF GUI and add the command (as above) as a "Preset," for subsequent use. For example:
:Video converter (WinFF) -> Edit -> Presets ->
:: Preset Name: Letterbox -> Preset Label: 16:9 Widescreen to 4:3 Letterbox
:: Preset command: -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58
::Ouput file extension: mpg -> Category: DVD
:::-> Add/Update -> Save

*To convert to MPEG-4 (mp4) files, use
ffmpeg -i ''samplevideo.flv'' ''outputvideo.mp4''

* FFMPEG requires that multiple [[Kubuntu:Oneiric#Restricted Extras|restricted extra codecs]] be installed. This can be done in a single easy step from the command-line Terminal:
sudo apt-get install kubuntu-restricted-extras
:or
sudo apt-get install ubuntu-restricted-extras

=== Convert to .MP3 audio file using FFMPEG ===
==== Convert Flash video audio to mp3 ====
* Once you have downloaded flash video content (.flv) from the Internet (using the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video Download Helper plug-in for Firefox]], for example), the audio component can be converted to an mp3 using this command (from the command line Terminal). (This will work for any type of video file, not just Flash.)
ffmpeg -i ''nameofvideoclip.flv'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''

:where -i indicates the input, -ab indicates the bit rate (in this example 160kb/sec), -vn means no video ouput, -ac 2 means 2 channels, -ar 44100 indicates the sampling frequency. See [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html#SEC11 FFMPEG docs] for more info.

If I only want a segment of the video to be converted, I can use the time markers:
ffmpeg -i ''nameofvideoclip.flv'' -ss ''00:00:09'' -t ''00:03:00'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''
:where -ss ''00:00:09'' indicates the point in the video (hh:mm:ss) at which to start conversion and -t ''00:03:00'' indicates the amount of time (from the start point) to convert.

* As long as [[#FFMPEG|FFMPEG]] is already installed, the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video DownloadHelper plug-in for Firefox]] already has an option to automatically convert an online video (such as those found at YouTube) into an .MP3 file. (Settings are adjustable.) From the DownloadHelper icon in Firefox, highlight the video to convert, then
:DownloadHelper icon -> Download and Convert -> Converter options: MP3

=== Edit/convert screencapture with FFMPEG ===
''Note: This section under construction.''

*Note: I now recommend using [[Video_Conversion|mencoder for all video conversion]] techniques. It uses some of the ffmpeg libraries but is faster and gives more reliable and high-quality results.

*This is only one example of a wide variety of techniques. Once I have a [[Screencasts#FFMPEG_with_x11grab|captured video]], I want to convert it to XVID video (which is the format my older DVD player accepts) and MP3 audio (mp3lame), which I will place in an AVI container (which my DVD player also accepts).

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -acodec libmp3lame -ss 00:00:09 -t 00:03:00 ''Punchcast2.avi''

I will start conversion (-ss) at second 9 (to eliminate unimportant things at the beginning) and convert 3 minutes (-t) of video (00:03:00).

* I happen to watch my screencasts on my old-fashioned 4:3 television. To do that, I make a letterboxed video:

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 -acodec libmp3lame ''Punchcast3.avi''

My laptop screen is 1366x768, which I reduce to a size of 648x364. My TV wants 720x480, so I pad the sides and top/bottom. Why not a width of 720 initially? My older television has 10% overscan, which cuts off 10% of the video. I therefore use (at least) 10% padding on the edges.

In newer versions of FFMPEG, the padding (and many other) options have changed. The proper command is now:
ffmpeg -i Punchcast1.avi -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -vf pad 720:480:36:58 -acodec libmp3lame Punchcast3.avi

ffmpeg movie=Punchcast1.avi:seek_point=9 -vcodec copy -acodec libmp3lame Punchcast1f.avi

=== WinFF (FFMPEG GUI) ===
[http://winff.org WinFF] is a free, GPL-licensed open source GUI frontend for FFMPEG. Install:
sudo apt-get install winff xterm
Run:
:Menu -> Applications -> Sound & Video -> WinFF

== VobSub2SRT (Convert subtitles from .sub/.idx to .srt) ==
* [https://github.com/ruediger/VobSub2SRT VobSub2SRT] is a simple (GPLv3-licensed) command line program to convert the image-based .idx / .sub subtitle files (used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs) into text-based [http://en.wikipedia.org/wiki/SubRip .srt] text subtitle files by using OCR. It is based on code from the [[Ubuntu:All#MPlayer_Multimedia_Player|MPlayer]] project, [[Ubuntu:All#Tesseract_.28Optical_Character_Reader.29|Tesseract]] as OCR software, and libavutil (part of the [[Ubuntu:All#FFMPEG_video_.2F_audio_conversion|FFmpeg]] project). Install the (K)Ubuntu/Debian (.deb) package from a PPA repository:
sudo add-apt-repository ppa:ruediger-c-plusplus/vobsub2srt
sudo apt-get update
sudo apt-get install vobsub2srt

* Alternatively, you can download and build a version from source code.
:* Install dependencies:
sudo apt-get install pkg-config build-essential cmake libavutil-dev libtesseract-dev

:* For (K)Ubuntu 12.10 (Quantal) also install:
sudo apt-get install libtiff5-dev tesseract-ocr-eng

:* For (K)Ubuntu 12.04LTS (Precise) also install:
sudo apt-get install libtiff4-dev tesseract-ocr tesseract-ocr-eng 

::* If you will be converting subtitles in languages other than English, you must install tesseract for any or all of those languages as well:
sudo apt-get install tesseract-ocr-vie tesseract-ocr-deu tesseract-ocr-fra tesseract-ocr-ita
sudo apt-get install tesseract-ocr-nld tesseract-ocr-spa tesseract-ocr-por tesseract-ocr-deu-f
::where vie is for Vietnamese, deu is for German, fra is for French, ita is for Italian, nld is for Dutch, spa is for Spanish, por is for Portugeuse, and deu-f is for German Fraktur script. If you don't you will get an error of the type: ''Unable to load unicharset file /usr/share/tesseract-ocr/tessdata/xxx.unicharset''.

:* Download and unzip the VobSub2SRT .zip file into its own directory:
mkdir vobsub2srt
cd vobsub2srt
wget -O vobsub2srt-current.zip <nowiki>https://github.com/ruediger/VobSub2SRT/zipball/ca53a18108eb08d6e2b853643d8c6838e2489823</nowiki>
unzip vobsub2srt-current.zip
rm vobsub2srt-current.zip

:* This will create a subdirectory with the current version. For example, my version is ''vobsub2srt/ruediger-VobSub2SRT-ca53a18''. Change into that directory then compile and install the program.
cd ''ruediger-VobSub2SRT-ca53a18''
./configure
make
sudo make install

:* This should install the program vobsub2srt to /usr/local/bin. You can uninstall vobsub2srt with ''sudo make uninstall''. You can build a *.deb package (Debian/Ubuntu) with ''make package''. The package is created in the build directory.

* Convert the .sub / .idx pair of subtitle files (named ''Filename.sub'' and ''Filename.idx'') into a .srt sbutitle file (named ''Filename.srt''):
vobsub2srt ''Filename''

:where Filename is the file name of the subtitle files WITHOUT the extension (.sub / .idx).

*If there are multiple languages in the .sub / .idx pair of subtitle files, you can select which language to convert (using the 2-letter [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639-1] language code, e.g. en, fr, de, it, es, pt, etc.):
vobsub2srt --lang en ''Filename''

* Edit the .srt subtitle file for OCR mistakes (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
kate ''Filename.srt''

== Join .MPG video segments ==
Individual video segments (MPEG-2, for example) can easily be joined:
cat ''samplevideo1.mpg'' ''samplevideo2.mpg'' ''samplevideo3.mpg'' > ''samplevideo123.mpg''

:You can then write the resulting MPEG-2 file to a DVD and play it in most DVD players.

== Split a file into segments ==
Any file can be [http://en.wikipedia.org/wiki/Split_%28Unix%29 split] into segments using the Linux command:
split -b 1440k ''my_big_file''

which will split ''my_big_file'' into equal segments of size 1440 kb.

== Create a commercial (.vob) format DVD ==
* The audiovideo container of commercial DVDs uses the [http://en.wikipedia.org/wiki/VOB .vob format]. This container requires either MPEG-1 or MPEG-2 video (.mpg) and either AC3 or MPEG-2 (.mp2) audio. Therefore, the first step in creating a DVD-video in this format is to convert all audiovisual files (to be included on it) to .mpg files (with one of those video and audio formats), usually with the MPEG-PS (A+V) container. This can be done from the command-line terminal (using mencoder or ffmpeg) or from a GUI utility (such as Avidemux).

:* The GUI utility [[Kubuntu_Precise_Video#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a GUI utility that has standardised settings for file conversion. [http://avidemux.org/admWiki/doku.php?id=tutorial:converting_to_dvd Here] is the Avidemux tutorial for conversion to a DVD-video.

::* Open the file and allow the time map and Index to be rebuilt.
::* It is best to convert a file (to be included on the DVD) to a format with MPEG-2 (avcodec) video, AC3 (lav) audio, and the MPEG-PS (A+V) container as an intermediate first. The MP2 audio format (the default for Avidemux in "Auto" mode) can also be used, and will result in a much smaller .mpg file then when using AC3 audio, but several of my very old DVD players only recognise AC3 audio (so this has therefore become my personal preference).
:::* The easiest method for doing this is to use the Avidemux Auto DVD wizard. (Avidemux -> Auto -> Optical Disc -> DVD). Select the appropriate souce and destination ratios. (My source videos are usually already in 16:9 widescreen formats, and I want to make DVDs for my widescreen 16:9 TV. I therefore choose 16:9 for both the "Source Aspect Ratio" and the "Destination Aspect Ratio.") The Auto DVD Wizard uses MP2 audio by default, but I personally like AC3 audio instead (the format usually used on "commercial" DVDs). I therefore change this using the Audio -> AC3 (lav) option.
:::* It is possible to customise (or initially set) the format options manually as well (see the Avidemux documentation). Select the Video (and make sure the aspect ratio is the one you desire in Video -> Configure -> Configuration: DVD -> Aspect Ratio: ''16:9'' ), Audio, and (container) Format options.
::::* To be DVD compliant, the resolution must be
:::::* 352*480 or 720*480 or 704*480 for NTSC
:::::* 352*576 or 720*576 or 704*576 for PAL/SECAM
:::: This is set automatically if using the Auto DVD wizard. If your original video does not already have the correct aspect ratio, you will have to use cropping, scaling, and/or black bar "Filter" options until one of the standard resolutions is achieved.

::* Save the file ( Avidemux -> File -> Save -> Save Video... -> ''myconvertedvideo.mpg'' ) to activate the conversion process. (If prompted whether to "Reuse the existing log file?" answer "No.")

:* Alternatively, mencoder can be used from the command-line to [[#AVI_to_MPG|convert a file to the .mpg format]].

:* Alternatively, FFMPEG can be used from the command-line to [[#Flash_video_.28.flv.29_to_MPG-2_using_FFMPEG|convert a file to the .mpg format]]. A simplified preset option for for conversion to both PAL and NTSC options is available.

* Once all files to be included on the DVD-video have been converted to .mpg files, the utility [[Kubuntu_Precise_Audio_Video_Conversion#DVD_Author|dvdauthor]] can be used for conversion to .vob format (appropriate for writing to the DVD). While this utility can be used from the command-line, "authoring" (conversion) is more easily accomplished using one of several available [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|GUI front-ends]], which allow creation of menus for the DVD as well.

::* With Kubuntu I use KMediaFactory for simple projects. (QDVDAuthor, which is difficult to install in recent Kubuntu versions, is superior and more powerful. [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|KMediaFactory]], in contrast, is in the repositories and is adequate (and quick) for most purposes.
:::* Rename the .mpg files (created with Avidemux or other method) carefully. The filename(s) becomes the Title(s) used by KMediaFactory for the video(s) on the DVD menu.
:::* Set up the DVD menu in KMediaFactory.
::::* KMediaFactory -> Project -> Title -> ''MyDVDTitle'' (this will appear on the DVD Menu at the top)
::::* -> Type: ''DVD-NTSC'' -> Aspect: ''16:9'' -> Destination Folder ''/home/user/DVDs''
:::* Add the .mpg files to the DVD.
::::* KMediaFactory -> Media -> Add Video -> ''MyFirstVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::::* -> Add Video -> ''MySecondVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::* Choose the DVD Menu appearance.
::::* KMediaFactory -> Template -> ''Preview 3''
:::* Choose the output format. For this, I generally create a "DVD folder":
::::* KMediaFactory -> Output -> DVD Folder
:::* Start the conversion ("DVD authoring") process. If an error appears, the problem usually lies in a non-existent (or write-protected) folder having been specified when setting the "Title" options. Make sure the folder has been specified properly. KMediaFactory will then create the standard AUDIO_TS and VIDEO_TS folders in the folder specified.
::::* -> Start
:::* Prior to burning I check to make sure that my DVD looks the way I had intended using [[Kubuntu_Precise_Media_Players#VLC_Multimedia_Player|VLC]] (VLC -> Media -> Open Disc... -> Browse... -> ''specified_folder'' -> Play)

::* In Kubuntu I then use [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|K3b]] to burn the AUDIO_TS and VIDEO_TS folders to a blank DVD. This can be done in K3b using the "New Video DVD Project" (K3b -> More actions... -> New Video DVD Project) using the AUDIO_TS and VIDEO_TS folders as the data. Edit the name of the DVD to reflect the desired DVD name. "Burn" the DVD. The result will be identical to commercial DVDs. (Note: In recent versions of K3b I have had to "Burn" using the "growisofs" Writing app at 8x Speed and DAO (Disc-At-Once) Writing Mode in order to achieve reliable burns. See [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|here]] for more details.)

== Recommended formats ==
* There is only one format that works on all my devices (computer (both Linux and Windows), (Android) tablet, (Android) eBook reader, MP3 player, DVD player):
:* .AVI container with XVID/DivX video codec and MP3lame (MP3) audio codec

:I use this for all my devices, and encode files to about 700 MB. This is a good size that gives good quality and allows me to fit many videos on a single SDcard (which I use in my mobile devices). For most of my devices, a 128 kb MP3 encoding bitrate is sufficient; I previously encoded at 192 kb for MP3lame (which is the default bitrate for AC3 sound), but I find this bitrate to be unnecessary. (The higher the encoding bitrate, the larger the encoded file, and I try to keep all my files around 700 MB.) The .AVI container has several limitations: it does not allow more than stereo audio (i.e. no 5.1 surround sound), does not allow multiple subtitle files, and requires a constant bitrate (CBR) audio channel. For advanced archival purposes it may not be suitable in the long-term, but currently it is desirable for the wide range of devices that accept it. It is also one of the only containers guaranteed to be accepted by Windows computers (since the container is originally a Windows-based format).

* I am also able to use an .MP4 container with X264/H.264 video codec and either the AAC audio codec or the MP3lame (MP3) audio codec on many devices, but not all. Neither the X264/H.264 video nor the AAC audio will play on my DVD player or MP3 player, for example (though it plays on my computer and Android tablet devices).

:* The related .M4V container (the proprietary Apple Quicktime format) works on almost none of my devices, and, furthermore, is difficult to decode and re-encode to a different container. I shun this format like the plague.

* The newer .MKV container, though open source and a superior container, is accepted by very few of my older devices. It does not play on my (older) DVD player or MP3 player, for example (no matter which video and audio codecs are used).

:Nevertheless, most newer DVD players seem to accept the .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. Over the years, however, I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at [http://www.bestbuy.com/site/Philips+-+DVD+Player+with+HD+Upconversion/4983625.p;jsessionid=436B03D27CA483A9AB8EC510D0B2B03C.bbolsp-app01-115?id=1218644449769&skuId=4983625&st=philips&cp=1&lp=15 Best Buy] for $40). I highly recommend this player, therefore, if you find yourself with a large collection of .AVI / XVID video files. However, it does not play MP4 files, which is a drawback. (Note: I am told that [http://www.amazon.com/Philips-Region-1080p-Upconverting-Player/dp/B004BI6MVS/ref=pd_cp_e_0#productDescription this upconverting Philips DVD] player will play region-free, both PAL and NTSC formats, and both MP4 and DivX/XVID codecs.)

* My Android (2.3) tablet devices will also not accept the AC3 audio codec (which is the standard audio used on commercial DVDs, for example), so most of the time I re-encode any files having AC3 audio with the MP3lame audio codec instead.

Template:Video Conversion

Perspectoff — Sat, 27 Apr 2013 21:11:19 GMT

Perspectoff: /* Create a commercial (.vob) format DVD */

= Video Conversion =
This guide does not advocate the illegal duplication of copyrighted content. However, fewer and fewer devices use DVDs any longer, and a large amount of video content is distributed on DVDs. It becomes necessary to convert video content into formats that can be viewed on devices that no longer used DVDs. Furthermore, online content is often in a format that is not universally playable and this also requires conversion. Trying to select and encode a video into a format which your device accepts is not always a straightforward task.

== Introduction ==
There are lots of video and audio codecs and lots of methods and preferences for converting between formats. These are only some basic examples. A good deal of trial and error is often required for successful video conversion.

* Mencoder and FFMPEG are the two packages that are the workhorses of video conversion. Of these, mencoder is faster and generally gives better results.

* [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]] uses a streaming algorithm and FFMPEG to "rip" DVDs and can work with many different encryption methods. It uses the (superior, open source) [http://en.wikipedia.org/wiki/Matroska .MKV] container only, however (which is not supported by many devices). It also does not support [http://en.wikipedia.org/wiki/Xvid XVID] (and uses either [http://en.wikipedia.org/wiki/X264 X264/H.264] or [http://en.wikipedia.org/wiki/MPEG-4_Part_14 MP4] video codecs) and therefore its video output is also not universally accepted by a wide range of devices. As these standards become more widely accepted, however, this will be an invaluable encoding tool. On rare occasions I rip a video with Handbrake (to .MKV and H.264/MP3) and then convert it to .AVI (XVID/MP3) in a second step (using mencoder).

* When I originally wrote these articles, .MKV was accommodated by only a handful of DVD players. A recent survey of new DVD players shows that most (including widely available inexpensive DVD players) will now play files in .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. However, over the years I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at Best Buy for $40). I highly recommend this player if you find yourself with a large collection of .AVI / XVID video files.

== Mencoder ==
[http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html Mencoder] is part of the [http://www.mplayerhq.hu/DOCS/HTML/en/index.html MPlayer] set of libraries (that also uses several of the FFMPEG libraries) for audio/visual conversion. If it is not installed on your system, install it:
sudo apt-get install mencoder

Usage instructions can be found from the command-line (''man mencoder'') or [http://linux.die.net/man/1/mencoder here].

=== MP4 with AAC audio to AVI with Xvid / MP3 ===
* The [http://en.wikipedia.org/wiki/Advanced_Audio_Coding#Licensing_and_patents AAC audio codec] is not compatible with many DVD players and devices due to licensing restrictions, whereas the MP3 audio codec is nearly universally accepted. Xvid is the open source version of the DivX video codec and is accepted by a very large number of DVD players and other devices (even older ones, especially those displaying the DivX logo).

* The [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container only allows a [http://en.wikipedia.org/wiki/Constant_bitrate constant bitrate], so the MP3 audio must be encoded at CBR. If the AAC is [http://en.wikipedia.org/wiki/5.1_surround_sound 5.1], it will be downcoded to stereo for MP3.

* This example is a two-pass technique that allows the file size to be specified and quality optimized for that filesize (using the information generated in the first pass). In this example, a 700 MB file is desired (and is specified by the negative value).

This information is from [http://en.gentoo-wiki.com/wiki/HOWTO_Mencoder_Introduction_Guide#XviD the Gentoo Wiki for Xvid and mencoder].

mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

=== Remove MKV subtitles and convert to AVI (XVID/MP3) ===
Mastroska container ([http://en.wikipedia.org/wiki/Matroska .MKV]) video files can have multiple subtitles included. In the default conversion from an .MKV container format to an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container format, the default subtitle file of the .MKV container is automatically hardcoded into the converted .AVI file, which may be undesirable. To overcome this behaviour (so that the converted .AVI has no subtitles), use the ''-sid 999'' option:

mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=1 -o /dev/null
mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

* To hardcode one of the subtitle tracks onto the .AVI video from the .MKV video, choose the subtrack ID, such as ''-sid 0'' or ''-sid 1''.

* If using NTFS and the error

Too many audio packets in the buffer: (4096 in 837540 bytes).
> Maybe you are playing a non-interleaved stream/file or the codec
> failed? For AVI files, try to force non-interleaved mode with the
> -ni option.

appears, then add these options:
-mc 0 -ofps 24000/1001 -noskip

=== DVD to AVI with Xvid / MP3 ===
* See the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-dvd-mpeg4.html mencoder documentation].
* Extract a video (in the .vob format) from a DVD to a file with an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container and [http://en.wikipedia.org/wiki/Xvid XVID]/DivX video and [http://en.wikipedia.org/wiki/LAME .MP3] audio using this (2-pass conversion) command:
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

where dvd://''1'' indicates the first track of the DVD. If you are not sure which track contains the content you wish to extract to a file, one way to check this is to play the DVD with a media player like VLC, examining the tracks on it:
:VLC -> Media -> Open Disc... -> Play -> Playback -> Navigation

or from the command line install lsdvd (''sudo apt-get install lsdvd'') and use it:
lsdvd -v -t 1 /dev/dvd

This will show a list of the title numbers (for the content tracks) on the DVD (and information about them). Use the title number for the content to be extracted.

* Conversion is much faster when done from from a hard drive than from a physical DVD. It is possible to copy the VIDEO_TS and AUDIO_TS folders from the physical DVD to a folder on the hard drive. Once you have copied the contents of the DVD to a folder, add the ''-dvd-device /path/to/dvd_folder'' option to specify it (with the same options as above in addition to the new one):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder''

* Note the ''-vobsub 999'' option to prevent subtitles from being automatically added. (If you wish to hardcode subtitles, use the number of the subtitle track, such as ''-sid 0'' or ''-vobsubid 0'' for the default subtitle track or ''-sid 1'' or ''-vobsubid 1'' for the next subtitle track.)

* Other options for video cropping and scaling can be used. See [http://www.axllent.org/docs/video/mencoder_dvd_to_mpeg4 these hints] and [http://savvyadmin.com/tag/xvid/ these tips], as well as [[#Resize_a_video|this section]].

* When better audio quality is desired, an audio [http://en.wikipedia.org/wiki/Bit_rate bitrate] more than 128 kb/sec can be used (e.g. ''br=160'' or ''br=192''), but this will give a larger file (or will decrease video quality if the filesize remains constant). cbr (constant bitrate) is used for mp3lame encoding in .AVI; I generally increase the volume of the video by 30% using the vol=3 option, as well. My final audio command therefore usually ends up: ''-oac mp3lame -lameopts cbr:br=128:vol=3''.

* If there are multiple audio tracks, the audio track can be selected with the ''-aid 1'' (or similar) option, specifying the number of the desired audio track. (Note: check audio track numbering carefully.) The English default audio track is usually ''-aid 128''. To show information about the audio tracks, use
lsdvd -a -t 1 /dev/dvd

* Although the ''bitrate=-700000'' option specifies a target file size of 700000 (approx. 700 MB), this actually results in a file size of nearly 800 MB. Specify a target filesize about 15% less than actually desired, therefore. For a target 700 Mb file, for example, I use ''bitrate=-620000''.

* For XVID there is an option to allow video seeking (for fast forwarding or rewinding) in 1 second increments (instead of the default 10 second increments): ''-xvidencopts max_key_interval=25'' (seek every 25 frames instead of the default 250 frames). This would be included as part of a more complex option string, such as ''-xvidencopts pass=2:max_key_interval=25:bitrate=-620000''.

* In order to play the converted .AVI file on my older DVD players and televisions (and avoid significant motion artifacts and pixelation), I find that I must use deinterlacing. Only two interlacing methods have worked well for me: ''-vf pp=lb'' or ''-vf yadif=0''. There are many methods of deinterlacing for mencoder, however (see [http://guru.multimedia.cx/deinterlacing-filters/ here] and [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html here], for example). Deinterlacing may not be necessary for your needs (when used for archival purposes only, for example, or if viewing files with media players (such as VLC) that already have built-in deinterlacing capabilities). Often recommended when ripping NTSC-format movies (progressive or telecined) is to include the option ''-vf pullup,softskip,harddup'', which must be used with a deinterlacing filter, such as ''-vf pullup,softskip,pp=lb,harddup'' (or ''-vf pullup,softskip,yadif=0,harddup''). The order of the telecine/progressive option, the deinterlacing option, and any cropping or scaling options is very specific -- read the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html#menc-feat-telecine-encode mencoder documentation] carefully when mixing these options. Specifically, cropping and scaling (when used) should be done after the telecine/progressive/deinterlacing options but before the frame duplication option, e.g. ''-vf pullup,softskip,pp=lb,crop=720:416:0:80,scale=704:304,harddup''.

* Note: You will need [[Kubuntu_Precise_Audio_Video_Conversion#libdvdcss|libdvdcss2]] installed on your system to access DVD data. If your DVD has encryption that is not able to be decrypted by libdvdcss, then consider using [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]], which uses a streaming algorithm to "rip" DVDs.

* This is the 2-pass command I end up using most often (with 4:3 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

* This is the 2-pass command I end up using most often (with 16:9 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

:The scale option is set so that I can play the video on analogue televisions with overscan (I still have a few of those). However, an alternative is to use ''scale=720:406'' for use on most widescreen TVs.

==== Using k9copy as a conversion front-end ====
* [[Kubuntu_Precise_Audio_Video_Conversion#K9copy_.28DVD_Ripper.29|k9copy]] is a good front-end for mencoder (as well as ffmpeg).
* To add an option to encode to XVID from an NTSC DVD (when using mencoder within k9copy), I add the necessary options to the Video codecs section:
:k9copy -> Configure k9copy -> Encoders -> ''mencoder'' -> Add -> label: ''XVID from NTSC'' -> first pass ->
-ovc xvid -xvidencopts bitrate=$VIDBR:turbo:pass=$PASS:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

The same command is entered for the "second pass" option as well. For the "one pass" option enter:
-ovc xvid -xvidencopts bitrate=$VIDBR:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

* To then use this new Video codec option, make sure it is selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Video -> Codec -> ''XVID from NTSC'' -> 2 pass (''ticked'') -> Apply

At the same time, the MP3 (lame) Audio codec option can be selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Audio -> Codec -> ''mp3 (lame)'' -> OK

* Now when the Output: ''MPEG-4 encoding'' is selected from the main screen, this "XVID from NTSC" Video encoding option will be used.

* Note that the ''-vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup'' option can be used with any Video codec, not just XVID.

=== AVI to MPG ===
* The MPG format is sometimes useful for creating DVDs (using the [http://en.wikipedia.org/wiki/MPEG-1 MPEG-1] or [http://en.wikipedia.org/wiki/MPEG-2 MPEG-2] video codec, which can be then used for vob files using [[Ubuntu:All#DVD_Author|QDVDAuthor]] or [[Ubuntu:All#ToVid|ToVid]]). If the audio codec of the AVI file is already AC3 or MP3, it usually can be copied. This example is take from the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-mpeg.html MPlayer/Mencoder documentation]. Example:

mencoder <input.avi> -of mpeg -ovc lavc -lavcopts vcodec=mpeg1video -oac copy -o <output.mpg>

=== Increase volume ===

* Use the ''-af volume=3:0'' option, where the first number (3 in the example) is the number of decibels to increment the volume (a 3 db increment doubles the volume), and the second number is 0 for hard-clipping and 1 to allow software-based clipping (to prevent oversaturation when the sound becomes too loud).

For example, if I want to double the sound volume of my .AVI video:

mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128 -af volume=3:0 -o <output.avi>

* This can also be done when encoding to the mp3lame audio codec by adding an option to the mp3lame options:
mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128:vol=3 -o <output.avi>

:where ''vol=3'' can be set to any value between -10 and 10. I use ''vol=3'' to increase the volume 30%. (This method works best for me.)

=== Add subtitles to video ===
* [http://en.wikipedia.org/wiki/SubRip .srt] subtitle files are essentially text files with time stamps. They are meant to be used with digital video files (such as .AVI files) and are different from the image-based .idx / .sub subtitle files (vobsub) used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs.

* Using mencoder:
mencoder -ovc [codec] [codec opts] -oac copy -sub [sub file.srt] -subfont-text-scale [3 normally]

In the example above, this would be:
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

*Note: When adding subtitles to an .AVI video, you must transcode it completely. It is not sufficient to merely add the subtitle track as listed above -- the entire video must be re-transcoded. So, for example:

mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

=== Trim a video ===
*Using mencoder:

mencoder <input.avi> -ovc copy -oac mp3lame -ss 01:57:12 -endpos 00:04:08 -o <output.avi>

where -ss indicates the start position of the clip (hh:mm:ss) and -endpos indicates how long the clip should be. (I use mp3lame for the audio codec because YouTube accepts that.)

=== Resize a video ===
*Using mencoder:
mencoder <input.avi> -ovc xvid -vf scale=320:240 -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

where -vf scale=320x240 indicates that the resulting video should be of that size. The position of the suboption in the command string is important.

* [http://en.wikipedia.org/wiki/High-definition_television HDTV] resolution is usually 1920 x 1080 ("1080p") or 1280 x 720 ("720p"). A [http://en.wikipedia.org/wiki/Standard-definition_television standard definition] widescreen TV has a maximum height of "480p" (usually 853 x 480 but sometimes 720 x 406). The standard width:height [http://en.wikipedia.org/wiki/Aspect_ratio_%28image%29 aspect ratio] for cinema is 1.85:1, whereas the average aspect ratio for widescreen movies distributed for display on television is 16:9 (1.78:1). When resizing a video, it is good to know the original dimensions of the video and maintain the width to height aspect ratio in the chosen scale.

:*Example: A video is distributed as 1280 x 692 (which has an aspect ratio of 1.85:1). The device (a low resolution television) on which it is to be displayed has a maximum width of 720. The desired resolution would then be 720 x 390 to keep the aspect ratio at approximately 1.85:1. The option would then be ''-vf scale=720:390''. An analog television would require 10% [http://en.wikipedia.org/wiki/Overscan overscan], making the maximum width 648. To keep an aspect ratio of 1.85:1 would require a resolution of 648 x 350, or a scale option of ''-vf scale=648:350''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on a television with a maximum width of 720p, which would require a final resolution of 720 x 406 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=720:406''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on an analogue television with 10% [http://en.wikipedia.org/wiki/Overscan overscan], which would require a final resolution of 648 x 364 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=648:364''.

* [http://en.wikipedia.org/wiki/Standard-definition_television "Standard" definition] [http://en.wikipedia.org/wiki/Analog_television analog television] has a 4:3 ratio, for which a scale of 640:480 (''-vf scale=640:480'') is generally preferable.

=== Convert to .MP3 audio file ===
* I find [[#Convert_to_.MP3_audio_file_using_FFMPEG|FFMPEG]] to be easier for this task.

* (''Under construction'') To use Mplayer to extract audio to pcm .wav file:
mplayer <input.avi> -vc null -oa pcm -aofile -ss 1441.4 -endpos 260.1 <output.wav>

*Then convert the .wav file to .mp3 with your favourite converter (such as SoundConverter).

=== Change audio track of video ===
* In general, [[All#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a good video editor for most needs, including muxing and demuxing video and audio.

* For a quick method to change the audio for a video, I like to merely remove the audio from the original video file using the ''-nosound'' option, for example:

mencoder <input.avi> -ovc copy -nosound -o <outputnosound.avi>

* Then, I add a new audio file as the audio track to the video using the ''-audiofile'' option. For example, if I now want to add an .mp3 audio track named <newaudio.mp3>, I would use the command:

mencoder <outputnosound.avi> -ovc copy -oac mp3lame -audiofile <newaudio.mp3> -o <output.avi>

== FFMPEG ==
[http://ffmpeg.org/ FFMPEG] is the swiss-army knife of video and audio format conversion. It succeeds when no other program can. It is free and open source. If it not yet installed on your system as part of another package (it is used by many video/audio editors), then install it:
sudo apt-get install ffmpeg

*To convert many different formats, read the [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html FFMPEG documentation]. Also see [http://howto-pages.org/ffmpeg/ this tutorial].

=== Flash video (.flv) to MPG-2 using FFMPEG ===
* To convert a saved Flash video (.flv) to an MPEG-2 format playable on a DVD, convert:
ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd ''samplevideo.mpg''

* Then use [[Kubuntu:Oneiric#K3b (CD/DVD burner)|K3b]] (or [[Ubuntu:Oneiric#Gnomebaker (CD/DVD burner)|Gnomebaker]]) to write the mpg file to a New DVD Data Project.

:*For PAL use -target pal-dvd. For widescreen, use -target film-dvd. For other conversion tips, see [http://ubuntuforums.org/archive/index.php/t-1006250.html this forum]. (Note: Most Flash video has very low resolution, with a screen size of 360x270, for example. You may see a slight diminishment in resolution if you wish to convert it to 720x480 (which is the NTSC standard size) or other screen size. You can keep the original screen size and resolution by omitting the -target parameter.) If your original file is 16:9 widescreen and you desire a 4:3 letterbox output for playing on an overscanned TV, you may need to pad the file so that the widescreen is not compressed (see [http://ubuntuforums.org/showthread.php?t=1010648 this forum]):

ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 ''samplevideo.mpg''

* You can also use the WinFF GUI and add the command (as above) as a "Preset," for subsequent use. For example:
:Video converter (WinFF) -> Edit -> Presets ->
:: Preset Name: Letterbox -> Preset Label: 16:9 Widescreen to 4:3 Letterbox
:: Preset command: -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58
::Ouput file extension: mpg -> Category: DVD
:::-> Add/Update -> Save

*To convert to MPEG-4 (mp4) files, use
ffmpeg -i ''samplevideo.flv'' ''outputvideo.mp4''

* FFMPEG requires that multiple [[Kubuntu:Oneiric#Restricted Extras|restricted extra codecs]] be installed. This can be done in a single easy step from the command-line Terminal:
sudo apt-get install kubuntu-restricted-extras
:or
sudo apt-get install ubuntu-restricted-extras

=== Convert to .MP3 audio file using FFMPEG ===
==== Convert Flash video audio to mp3 ====
* Once you have downloaded flash video content (.flv) from the Internet (using the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video Download Helper plug-in for Firefox]], for example), the audio component can be converted to an mp3 using this command (from the command line Terminal). (This will work for any type of video file, not just Flash.)
ffmpeg -i ''nameofvideoclip.flv'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''

:where -i indicates the input, -ab indicates the bit rate (in this example 160kb/sec), -vn means no video ouput, -ac 2 means 2 channels, -ar 44100 indicates the sampling frequency. See [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html#SEC11 FFMPEG docs] for more info.

If I only want a segment of the video to be converted, I can use the time markers:
ffmpeg -i ''nameofvideoclip.flv'' -ss ''00:00:09'' -t ''00:03:00'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''
:where -ss ''00:00:09'' indicates the point in the video (hh:mm:ss) at which to start conversion and -t ''00:03:00'' indicates the amount of time (from the start point) to convert.

* As long as [[#FFMPEG|FFMPEG]] is already installed, the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video DownloadHelper plug-in for Firefox]] already has an option to automatically convert an online video (such as those found at YouTube) into an .MP3 file. (Settings are adjustable.) From the DownloadHelper icon in Firefox, highlight the video to convert, then
:DownloadHelper icon -> Download and Convert -> Converter options: MP3

=== Edit/convert screencapture with FFMPEG ===
''Note: This section under construction.''

*Note: I now recommend using [[Video_Conversion|mencoder for all video conversion]] techniques. It uses some of the ffmpeg libraries but is faster and gives more reliable and high-quality results.

*This is only one example of a wide variety of techniques. Once I have a [[Screencasts#FFMPEG_with_x11grab|captured video]], I want to convert it to XVID video (which is the format my older DVD player accepts) and MP3 audio (mp3lame), which I will place in an AVI container (which my DVD player also accepts).

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -acodec libmp3lame -ss 00:00:09 -t 00:03:00 ''Punchcast2.avi''

I will start conversion (-ss) at second 9 (to eliminate unimportant things at the beginning) and convert 3 minutes (-t) of video (00:03:00).

* I happen to watch my screencasts on my old-fashioned 4:3 television. To do that, I make a letterboxed video:

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 -acodec libmp3lame ''Punchcast3.avi''

My laptop screen is 1366x768, which I reduce to a size of 648x364. My TV wants 720x480, so I pad the sides and top/bottom. Why not a width of 720 initially? My older television has 10% overscan, which cuts off 10% of the video. I therefore use (at least) 10% padding on the edges.

In newer versions of FFMPEG, the padding (and many other) options have changed. The proper command is now:
ffmpeg -i Punchcast1.avi -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -vf pad 720:480:36:58 -acodec libmp3lame Punchcast3.avi

ffmpeg movie=Punchcast1.avi:seek_point=9 -vcodec copy -acodec libmp3lame Punchcast1f.avi

=== WinFF (FFMPEG GUI) ===
[http://winff.org WinFF] is a free, GPL-licensed open source GUI frontend for FFMPEG. Install:
sudo apt-get install winff xterm
Run:
:Menu -> Applications -> Sound & Video -> WinFF

== VobSub2SRT (Convert subtitles from .sub/.idx to .srt) ==
* [https://github.com/ruediger/VobSub2SRT VobSub2SRT] is a simple (GPLv3-licensed) command line program to convert the image-based .idx / .sub subtitle files (used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs) into text-based [http://en.wikipedia.org/wiki/SubRip .srt] text subtitle files by using OCR. It is based on code from the [[Ubuntu:All#MPlayer_Multimedia_Player|MPlayer]] project, [[Ubuntu:All#Tesseract_.28Optical_Character_Reader.29|Tesseract]] as OCR software, and libavutil (part of the [[Ubuntu:All#FFMPEG_video_.2F_audio_conversion|FFmpeg]] project). Install the (K)Ubuntu/Debian (.deb) package from a PPA repository:
sudo add-apt-repository ppa:ruediger-c-plusplus/vobsub2srt
sudo apt-get update
sudo apt-get install vobsub2srt

* Alternatively, you can download and build a version from source code.
:* Install dependencies:
sudo apt-get install pkg-config build-essential cmake libavutil-dev libtesseract-dev

:* For (K)Ubuntu 12.10 (Quantal) also install:
sudo apt-get install libtiff5-dev tesseract-ocr-eng

:* For (K)Ubuntu 12.04LTS (Precise) also install:
sudo apt-get install libtiff4-dev tesseract-ocr tesseract-ocr-eng 

::* If you will be converting subtitles in languages other than English, you must install tesseract for any or all of those languages as well:
sudo apt-get install tesseract-ocr-vie tesseract-ocr-deu tesseract-ocr-fra tesseract-ocr-ita
sudo apt-get install tesseract-ocr-nld tesseract-ocr-spa tesseract-ocr-por tesseract-ocr-deu-f
::where vie is for Vietnamese, deu is for German, fra is for French, ita is for Italian, nld is for Dutch, spa is for Spanish, por is for Portugeuse, and deu-f is for German Fraktur script. If you don't you will get an error of the type: ''Unable to load unicharset file /usr/share/tesseract-ocr/tessdata/xxx.unicharset''.

:* Download and unzip the VobSub2SRT .zip file into its own directory:
mkdir vobsub2srt
cd vobsub2srt
wget -O vobsub2srt-current.zip <nowiki>https://github.com/ruediger/VobSub2SRT/zipball/ca53a18108eb08d6e2b853643d8c6838e2489823</nowiki>
unzip vobsub2srt-current.zip
rm vobsub2srt-current.zip

:* This will create a subdirectory with the current version. For example, my version is ''vobsub2srt/ruediger-VobSub2SRT-ca53a18''. Change into that directory then compile and install the program.
cd ''ruediger-VobSub2SRT-ca53a18''
./configure
make
sudo make install

:* This should install the program vobsub2srt to /usr/local/bin. You can uninstall vobsub2srt with ''sudo make uninstall''. You can build a *.deb package (Debian/Ubuntu) with ''make package''. The package is created in the build directory.

* Convert the .sub / .idx pair of subtitle files (named ''Filename.sub'' and ''Filename.idx'') into a .srt sbutitle file (named ''Filename.srt''):
vobsub2srt ''Filename''

:where Filename is the file name of the subtitle files WITHOUT the extension (.sub / .idx).

*If there are multiple languages in the .sub / .idx pair of subtitle files, you can select which language to convert (using the 2-letter [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639-1] language code, e.g. en, fr, de, it, es, pt, etc.):
vobsub2srt --lang en ''Filename''

* Edit the .srt subtitle file for OCR mistakes (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
kate ''Filename.srt''

== Join .MPG video segments ==
Individual video segments (MPEG-2, for example) can easily be joined:
cat ''samplevideo1.mpg'' ''samplevideo2.mpg'' ''samplevideo3.mpg'' > ''samplevideo123.mpg''

:You can then write the resulting MPEG-2 file to a DVD and play it in most DVD players.

== Split a file into segments ==
Any file can be [http://en.wikipedia.org/wiki/Split_%28Unix%29 split] into segments using the Linux command:
split -b 1440k ''my_big_file''

which will split ''my_big_file'' into equal segments of size 1440 kb.

== Create a commercial (.vob) format DVD ==
* The audiovideo container of commercial DVDs uses the [http://en.wikipedia.org/wiki/VOB .vob format]. This container requires either MPEG-1 or MPEG-2 video (.mpg) and either AC3 or MPEG-2 (.mp2) audio. Therefore, the first step in creating a DVD-video in this format is to convert all audiovisual files (to be included on it) to .mpg files (with one of those video and audio formats), usually with the MPEG-PS (A+V) container. This can be done from the command-line terminal (using mencoder or ffmpeg) or from a GUI utility (such as Avidemux).

:* The GUI utility [[Kubuntu_Precise_Video#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a GUI utility that has standardised settings for file conversion. [http://avidemux.org/admWiki/doku.php?id=tutorial:converting_to_dvd Here] is the Avidemux tutorial for conversion to a DVD-video.

::* Open the file and allow the time map and Index to be rebuilt.
::* It is best to convert a file (to be included on the DVD) to a format with MPEG-2 (avcodec) video, AC3 (lav) audio, and the MPEG-PS (A+V) container as an intermediate first. The MP2 audio format (the default for Avidemux in "Auto" mode) can also be used, and will result in a much smaller .mpg file then when using AC3 audio, but several of my very old DVD players only recognise AC3 audio (so this has therefore become my personal preference).
:::* The easiest method for doing this is to use the Avidemux Auto DVD wizard. (Avidemux -> Auto -> Optical Disc -> DVD). Select the appropriate souce and destination ratios. (My source videos are usually already in 16:9 widescreen formats, and I want to make DVDs for my widescreen 16:9 TV. I therefore choose 16:9 for both the "Source Aspect Ratio" and the "Destination Aspect Ratio.") The Auto DVD Wizard uses MP2 audio by default, but I personally like AC3 audio instead (the format usually used on "commercial" DVDs). I therefore change this using the Audio -> AC3 (lav) option.
:::* It is possible to customise (or initially set) the format options manually as well (see the Avidemux documentation). Select the Video (and make sure the aspect ratio is the one you desire in Video -> Configure -> Configuration: DVD -> Aspect Ratio: ''16:9'' ), Audio, and (container) Format options.
::::* To be DVD compliant, the resolution must be
:::::* 352*480 or 720*480 or 704*480 for NTSC
:::::* 352*576 or 720*576 or 704*576 for PAL/SECAM
:::: This is set automatically if using the Auto DVD wizard. If your original video does not already have the correct aspect ratio, you will have to use cropping, scaling, and/or black bar "Filter" options until one of the standard resolutions is achieved.

::* Save the file ( Avidemux -> File -> Save -> Save Video... -> ''myconvertedvideo.mpg'' ) to activate the conversion process. (If prompted whether to "Reuse the existing log file?" answer "No.")

:* Alternatively, mencoder can be used from the command-line to [[#AVI_to_MPG|convert a file to the .mpg format]].

:* Alternatively, FFMPEG can be used from the command-line to [[#Flash_video_.28.flv.29_to_MPG-2_using_FFMPEG|convert a file to the .mpg format]]. A simplified preset option for for conversion to both PAL and NTSC options is available.

* Once all files to be included on the DVD-video have been converted to .mpg files, the utility [[Kubuntu_Precise_Audio_Video_Conversion#DVD_Author|dvdauthor]] can be used for conversion to .vob format (appropriate for writing to the DVD). While this utility can be used from the command-line, "authoring" (conversion) is more easily accomplished using one of several available [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|GUI front-ends]], which allow creation of menus for the DVD as well.

::* With Kubuntu I use KMediaFactory for simple projects. (QDVDAuthor, which is difficult to install in recent Kubuntu versions, is superior and more powerful. [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|KMediaFactory]], in contrast, is in the repositories and is adequate (and quick) for most purposes.
:::* Rename the .mpg files (created with Avidemux or other method) carefully. The filename(s) becomes the Title(s) used by KMediaFactory for the video(s) on the DVD menu.
:::* Set up the DVD menu in KMediaFactory.
::::* KMediaFactory -> Project -> Title -> ''MyDVDTitle'' (this will appear on the DVD Menu at the top)
::::* -> Type: ''DVD-NTSC'' -> Aspect: ''16:9'' -> Destination Folder ''/home/user/DVDs''
:::* Add the .mpg files to the DVD.
::::* KMediaFactory -> Media -> Add Video -> ''MyFirstVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::::* -> Add Video -> ''MySecondVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::* Choose the DVD Menu appearance.
::::* KMediaFactory -> Template -> ''Preview 3''
:::* Choose the output format. For this, I generally create a "DVD folder":
::::* KMediaFactory -> Output -> DVD Folder
::: In this way, prior to burning I can check to make sure my DVD looks the way I had intended using [[Kubuntu_Precise_Media_Players#VLC_Multimedia_Player|VLC]] (VLC -> Media -> Open Disc... -> Browse... -> ''specified_folder'' -> Play)
:::* Start the conversion ("DVD authoring") process. If an error appears, the problem usually lies in a non-existent (or write-protected) folder having been specified when setting the "Title" options. Make sure the folder has been specified properly. KMediaFactory will then create the standard AUDIO_TS and VIDEO_TS folders in the folder specified.
::::* -> Start

::* In Kubuntu I then use [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|K3b]] to burn the AUDIO_TS and VIDEO_TS folders to a blank DVD. This can be done in K3b using the "New Video DVD Project" (K3b -> More actions... -> New Video DVD Project) using the AUDIO_TS and VIDEO_TS folders as the data. Edit the name of the DVD to reflect the desired DVD name. "Burn" the DVD. The result will be identical to commercial DVDs. (Note: In recent versions of K3b I have had to "Burn" using the "growisofs" Writing app at 8x Speed and DAO (Disc-At-Once) Writing Mode in order to achieve reliable burns. See [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|here]] for more details.)

== Recommended formats ==
* There is only one format that works on all my devices (computer (both Linux and Windows), (Android) tablet, (Android) eBook reader, MP3 player, DVD player):
:* .AVI container with XVID/DivX video codec and MP3lame (MP3) audio codec

:I use this for all my devices, and encode files to about 700 MB. This is a good size that gives good quality and allows me to fit many videos on a single SDcard (which I use in my mobile devices). For most of my devices, a 128 kb MP3 encoding bitrate is sufficient; I previously encoded at 192 kb for MP3lame (which is the default bitrate for AC3 sound), but I find this bitrate to be unnecessary. (The higher the encoding bitrate, the larger the encoded file, and I try to keep all my files around 700 MB.) The .AVI container has several limitations: it does not allow more than stereo audio (i.e. no 5.1 surround sound), does not allow multiple subtitle files, and requires a constant bitrate (CBR) audio channel. For advanced archival purposes it may not be suitable in the long-term, but currently it is desirable for the wide range of devices that accept it. It is also one of the only containers guaranteed to be accepted by Windows computers (since the container is originally a Windows-based format).

* I am also able to use an .MP4 container with X264/H.264 video codec and either the AAC audio codec or the MP3lame (MP3) audio codec on many devices, but not all. Neither the X264/H.264 video nor the AAC audio will play on my DVD player or MP3 player, for example (though it plays on my computer and Android tablet devices).

:* The related .M4V container (the proprietary Apple Quicktime format) works on almost none of my devices, and, furthermore, is difficult to decode and re-encode to a different container. I shun this format like the plague.

* The newer .MKV container, though open source and a superior container, is accepted by very few of my older devices. It does not play on my (older) DVD player or MP3 player, for example (no matter which video and audio codecs are used).

:Nevertheless, most newer DVD players seem to accept the .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. Over the years, however, I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at [http://www.bestbuy.com/site/Philips+-+DVD+Player+with+HD+Upconversion/4983625.p;jsessionid=436B03D27CA483A9AB8EC510D0B2B03C.bbolsp-app01-115?id=1218644449769&skuId=4983625&st=philips&cp=1&lp=15 Best Buy] for $40). I highly recommend this player, therefore, if you find yourself with a large collection of .AVI / XVID video files. However, it does not play MP4 files, which is a drawback. (Note: I am told that [http://www.amazon.com/Philips-Region-1080p-Upconverting-Player/dp/B004BI6MVS/ref=pd_cp_e_0#productDescription this upconverting Philips DVD] player will play region-free, both PAL and NTSC formats, and both MP4 and DivX/XVID codecs.)

* My Android (2.3) tablet devices will also not accept the AC3 audio codec (which is the standard audio used on commercial DVDs, for example), so most of the time I re-encode any files having AC3 audio with the MP3lame audio codec instead.

Template:Video Conversion

Perspectoff — Sat, 27 Apr 2013 21:08:02 GMT

Perspectoff: /* Create a commercial (.vob) format DVD */

= Video Conversion =
This guide does not advocate the illegal duplication of copyrighted content. However, fewer and fewer devices use DVDs any longer, and a large amount of video content is distributed on DVDs. It becomes necessary to convert video content into formats that can be viewed on devices that no longer used DVDs. Furthermore, online content is often in a format that is not universally playable and this also requires conversion. Trying to select and encode a video into a format which your device accepts is not always a straightforward task.

== Introduction ==
There are lots of video and audio codecs and lots of methods and preferences for converting between formats. These are only some basic examples. A good deal of trial and error is often required for successful video conversion.

* Mencoder and FFMPEG are the two packages that are the workhorses of video conversion. Of these, mencoder is faster and generally gives better results.

* [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]] uses a streaming algorithm and FFMPEG to "rip" DVDs and can work with many different encryption methods. It uses the (superior, open source) [http://en.wikipedia.org/wiki/Matroska .MKV] container only, however (which is not supported by many devices). It also does not support [http://en.wikipedia.org/wiki/Xvid XVID] (and uses either [http://en.wikipedia.org/wiki/X264 X264/H.264] or [http://en.wikipedia.org/wiki/MPEG-4_Part_14 MP4] video codecs) and therefore its video output is also not universally accepted by a wide range of devices. As these standards become more widely accepted, however, this will be an invaluable encoding tool. On rare occasions I rip a video with Handbrake (to .MKV and H.264/MP3) and then convert it to .AVI (XVID/MP3) in a second step (using mencoder).

* When I originally wrote these articles, .MKV was accommodated by only a handful of DVD players. A recent survey of new DVD players shows that most (including widely available inexpensive DVD players) will now play files in .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. However, over the years I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at Best Buy for $40). I highly recommend this player if you find yourself with a large collection of .AVI / XVID video files.

== Mencoder ==
[http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html Mencoder] is part of the [http://www.mplayerhq.hu/DOCS/HTML/en/index.html MPlayer] set of libraries (that also uses several of the FFMPEG libraries) for audio/visual conversion. If it is not installed on your system, install it:
sudo apt-get install mencoder

Usage instructions can be found from the command-line (''man mencoder'') or [http://linux.die.net/man/1/mencoder here].

=== MP4 with AAC audio to AVI with Xvid / MP3 ===
* The [http://en.wikipedia.org/wiki/Advanced_Audio_Coding#Licensing_and_patents AAC audio codec] is not compatible with many DVD players and devices due to licensing restrictions, whereas the MP3 audio codec is nearly universally accepted. Xvid is the open source version of the DivX video codec and is accepted by a very large number of DVD players and other devices (even older ones, especially those displaying the DivX logo).

* The [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container only allows a [http://en.wikipedia.org/wiki/Constant_bitrate constant bitrate], so the MP3 audio must be encoded at CBR. If the AAC is [http://en.wikipedia.org/wiki/5.1_surround_sound 5.1], it will be downcoded to stereo for MP3.

* This example is a two-pass technique that allows the file size to be specified and quality optimized for that filesize (using the information generated in the first pass). In this example, a 700 MB file is desired (and is specified by the negative value).

This information is from [http://en.gentoo-wiki.com/wiki/HOWTO_Mencoder_Introduction_Guide#XviD the Gentoo Wiki for Xvid and mencoder].

mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

=== Remove MKV subtitles and convert to AVI (XVID/MP3) ===
Mastroska container ([http://en.wikipedia.org/wiki/Matroska .MKV]) video files can have multiple subtitles included. In the default conversion from an .MKV container format to an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container format, the default subtitle file of the .MKV container is automatically hardcoded into the converted .AVI file, which may be undesirable. To overcome this behaviour (so that the converted .AVI has no subtitles), use the ''-sid 999'' option:

mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=1 -o /dev/null
mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

* To hardcode one of the subtitle tracks onto the .AVI video from the .MKV video, choose the subtrack ID, such as ''-sid 0'' or ''-sid 1''.

* If using NTFS and the error

Too many audio packets in the buffer: (4096 in 837540 bytes).
> Maybe you are playing a non-interleaved stream/file or the codec
> failed? For AVI files, try to force non-interleaved mode with the
> -ni option.

appears, then add these options:
-mc 0 -ofps 24000/1001 -noskip

=== DVD to AVI with Xvid / MP3 ===
* See the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-dvd-mpeg4.html mencoder documentation].
* Extract a video (in the .vob format) from a DVD to a file with an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container and [http://en.wikipedia.org/wiki/Xvid XVID]/DivX video and [http://en.wikipedia.org/wiki/LAME .MP3] audio using this (2-pass conversion) command:
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

where dvd://''1'' indicates the first track of the DVD. If you are not sure which track contains the content you wish to extract to a file, one way to check this is to play the DVD with a media player like VLC, examining the tracks on it:
:VLC -> Media -> Open Disc... -> Play -> Playback -> Navigation

or from the command line install lsdvd (''sudo apt-get install lsdvd'') and use it:
lsdvd -v -t 1 /dev/dvd

This will show a list of the title numbers (for the content tracks) on the DVD (and information about them). Use the title number for the content to be extracted.

* Conversion is much faster when done from from a hard drive than from a physical DVD. It is possible to copy the VIDEO_TS and AUDIO_TS folders from the physical DVD to a folder on the hard drive. Once you have copied the contents of the DVD to a folder, add the ''-dvd-device /path/to/dvd_folder'' option to specify it (with the same options as above in addition to the new one):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder''

* Note the ''-vobsub 999'' option to prevent subtitles from being automatically added. (If you wish to hardcode subtitles, use the number of the subtitle track, such as ''-sid 0'' or ''-vobsubid 0'' for the default subtitle track or ''-sid 1'' or ''-vobsubid 1'' for the next subtitle track.)

* Other options for video cropping and scaling can be used. See [http://www.axllent.org/docs/video/mencoder_dvd_to_mpeg4 these hints] and [http://savvyadmin.com/tag/xvid/ these tips], as well as [[#Resize_a_video|this section]].

* When better audio quality is desired, an audio [http://en.wikipedia.org/wiki/Bit_rate bitrate] more than 128 kb/sec can be used (e.g. ''br=160'' or ''br=192''), but this will give a larger file (or will decrease video quality if the filesize remains constant). cbr (constant bitrate) is used for mp3lame encoding in .AVI; I generally increase the volume of the video by 30% using the vol=3 option, as well. My final audio command therefore usually ends up: ''-oac mp3lame -lameopts cbr:br=128:vol=3''.

* If there are multiple audio tracks, the audio track can be selected with the ''-aid 1'' (or similar) option, specifying the number of the desired audio track. (Note: check audio track numbering carefully.) The English default audio track is usually ''-aid 128''. To show information about the audio tracks, use
lsdvd -a -t 1 /dev/dvd

* Although the ''bitrate=-700000'' option specifies a target file size of 700000 (approx. 700 MB), this actually results in a file size of nearly 800 MB. Specify a target filesize about 15% less than actually desired, therefore. For a target 700 Mb file, for example, I use ''bitrate=-620000''.

* For XVID there is an option to allow video seeking (for fast forwarding or rewinding) in 1 second increments (instead of the default 10 second increments): ''-xvidencopts max_key_interval=25'' (seek every 25 frames instead of the default 250 frames). This would be included as part of a more complex option string, such as ''-xvidencopts pass=2:max_key_interval=25:bitrate=-620000''.

* In order to play the converted .AVI file on my older DVD players and televisions (and avoid significant motion artifacts and pixelation), I find that I must use deinterlacing. Only two interlacing methods have worked well for me: ''-vf pp=lb'' or ''-vf yadif=0''. There are many methods of deinterlacing for mencoder, however (see [http://guru.multimedia.cx/deinterlacing-filters/ here] and [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html here], for example). Deinterlacing may not be necessary for your needs (when used for archival purposes only, for example, or if viewing files with media players (such as VLC) that already have built-in deinterlacing capabilities). Often recommended when ripping NTSC-format movies (progressive or telecined) is to include the option ''-vf pullup,softskip,harddup'', which must be used with a deinterlacing filter, such as ''-vf pullup,softskip,pp=lb,harddup'' (or ''-vf pullup,softskip,yadif=0,harddup''). The order of the telecine/progressive option, the deinterlacing option, and any cropping or scaling options is very specific -- read the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html#menc-feat-telecine-encode mencoder documentation] carefully when mixing these options. Specifically, cropping and scaling (when used) should be done after the telecine/progressive/deinterlacing options but before the frame duplication option, e.g. ''-vf pullup,softskip,pp=lb,crop=720:416:0:80,scale=704:304,harddup''.

* Note: You will need [[Kubuntu_Precise_Audio_Video_Conversion#libdvdcss|libdvdcss2]] installed on your system to access DVD data. If your DVD has encryption that is not able to be decrypted by libdvdcss, then consider using [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]], which uses a streaming algorithm to "rip" DVDs.

* This is the 2-pass command I end up using most often (with 4:3 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

* This is the 2-pass command I end up using most often (with 16:9 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

:The scale option is set so that I can play the video on analogue televisions with overscan (I still have a few of those). However, an alternative is to use ''scale=720:406'' for use on most widescreen TVs.

==== Using k9copy as a conversion front-end ====
* [[Kubuntu_Precise_Audio_Video_Conversion#K9copy_.28DVD_Ripper.29|k9copy]] is a good front-end for mencoder (as well as ffmpeg).
* To add an option to encode to XVID from an NTSC DVD (when using mencoder within k9copy), I add the necessary options to the Video codecs section:
:k9copy -> Configure k9copy -> Encoders -> ''mencoder'' -> Add -> label: ''XVID from NTSC'' -> first pass ->
-ovc xvid -xvidencopts bitrate=$VIDBR:turbo:pass=$PASS:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

The same command is entered for the "second pass" option as well. For the "one pass" option enter:
-ovc xvid -xvidencopts bitrate=$VIDBR:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

* To then use this new Video codec option, make sure it is selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Video -> Codec -> ''XVID from NTSC'' -> 2 pass (''ticked'') -> Apply

At the same time, the MP3 (lame) Audio codec option can be selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Audio -> Codec -> ''mp3 (lame)'' -> OK

* Now when the Output: ''MPEG-4 encoding'' is selected from the main screen, this "XVID from NTSC" Video encoding option will be used.

* Note that the ''-vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup'' option can be used with any Video codec, not just XVID.

=== AVI to MPG ===
* The MPG format is sometimes useful for creating DVDs (using the [http://en.wikipedia.org/wiki/MPEG-1 MPEG-1] or [http://en.wikipedia.org/wiki/MPEG-2 MPEG-2] video codec, which can be then used for vob files using [[Ubuntu:All#DVD_Author|QDVDAuthor]] or [[Ubuntu:All#ToVid|ToVid]]). If the audio codec of the AVI file is already AC3 or MP3, it usually can be copied. This example is take from the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-mpeg.html MPlayer/Mencoder documentation]. Example:

mencoder <input.avi> -of mpeg -ovc lavc -lavcopts vcodec=mpeg1video -oac copy -o <output.mpg>

=== Increase volume ===

* Use the ''-af volume=3:0'' option, where the first number (3 in the example) is the number of decibels to increment the volume (a 3 db increment doubles the volume), and the second number is 0 for hard-clipping and 1 to allow software-based clipping (to prevent oversaturation when the sound becomes too loud).

For example, if I want to double the sound volume of my .AVI video:

mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128 -af volume=3:0 -o <output.avi>

* This can also be done when encoding to the mp3lame audio codec by adding an option to the mp3lame options:
mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128:vol=3 -o <output.avi>

:where ''vol=3'' can be set to any value between -10 and 10. I use ''vol=3'' to increase the volume 30%. (This method works best for me.)

=== Add subtitles to video ===
* [http://en.wikipedia.org/wiki/SubRip .srt] subtitle files are essentially text files with time stamps. They are meant to be used with digital video files (such as .AVI files) and are different from the image-based .idx / .sub subtitle files (vobsub) used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs.

* Using mencoder:
mencoder -ovc [codec] [codec opts] -oac copy -sub [sub file.srt] -subfont-text-scale [3 normally]

In the example above, this would be:
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

*Note: When adding subtitles to an .AVI video, you must transcode it completely. It is not sufficient to merely add the subtitle track as listed above -- the entire video must be re-transcoded. So, for example:

mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

=== Trim a video ===
*Using mencoder:

mencoder <input.avi> -ovc copy -oac mp3lame -ss 01:57:12 -endpos 00:04:08 -o <output.avi>

where -ss indicates the start position of the clip (hh:mm:ss) and -endpos indicates how long the clip should be. (I use mp3lame for the audio codec because YouTube accepts that.)

=== Resize a video ===
*Using mencoder:
mencoder <input.avi> -ovc xvid -vf scale=320:240 -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

where -vf scale=320x240 indicates that the resulting video should be of that size. The position of the suboption in the command string is important.

* [http://en.wikipedia.org/wiki/High-definition_television HDTV] resolution is usually 1920 x 1080 ("1080p") or 1280 x 720 ("720p"). A [http://en.wikipedia.org/wiki/Standard-definition_television standard definition] widescreen TV has a maximum height of "480p" (usually 853 x 480 but sometimes 720 x 406). The standard width:height [http://en.wikipedia.org/wiki/Aspect_ratio_%28image%29 aspect ratio] for cinema is 1.85:1, whereas the average aspect ratio for widescreen movies distributed for display on television is 16:9 (1.78:1). When resizing a video, it is good to know the original dimensions of the video and maintain the width to height aspect ratio in the chosen scale.

:*Example: A video is distributed as 1280 x 692 (which has an aspect ratio of 1.85:1). The device (a low resolution television) on which it is to be displayed has a maximum width of 720. The desired resolution would then be 720 x 390 to keep the aspect ratio at approximately 1.85:1. The option would then be ''-vf scale=720:390''. An analog television would require 10% [http://en.wikipedia.org/wiki/Overscan overscan], making the maximum width 648. To keep an aspect ratio of 1.85:1 would require a resolution of 648 x 350, or a scale option of ''-vf scale=648:350''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on a television with a maximum width of 720p, which would require a final resolution of 720 x 406 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=720:406''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on an analogue television with 10% [http://en.wikipedia.org/wiki/Overscan overscan], which would require a final resolution of 648 x 364 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=648:364''.

* [http://en.wikipedia.org/wiki/Standard-definition_television "Standard" definition] [http://en.wikipedia.org/wiki/Analog_television analog television] has a 4:3 ratio, for which a scale of 640:480 (''-vf scale=640:480'') is generally preferable.

=== Convert to .MP3 audio file ===
* I find [[#Convert_to_.MP3_audio_file_using_FFMPEG|FFMPEG]] to be easier for this task.

* (''Under construction'') To use Mplayer to extract audio to pcm .wav file:
mplayer <input.avi> -vc null -oa pcm -aofile -ss 1441.4 -endpos 260.1 <output.wav>

*Then convert the .wav file to .mp3 with your favourite converter (such as SoundConverter).

=== Change audio track of video ===
* In general, [[All#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a good video editor for most needs, including muxing and demuxing video and audio.

* For a quick method to change the audio for a video, I like to merely remove the audio from the original video file using the ''-nosound'' option, for example:

mencoder <input.avi> -ovc copy -nosound -o <outputnosound.avi>

* Then, I add a new audio file as the audio track to the video using the ''-audiofile'' option. For example, if I now want to add an .mp3 audio track named <newaudio.mp3>, I would use the command:

mencoder <outputnosound.avi> -ovc copy -oac mp3lame -audiofile <newaudio.mp3> -o <output.avi>

== FFMPEG ==
[http://ffmpeg.org/ FFMPEG] is the swiss-army knife of video and audio format conversion. It succeeds when no other program can. It is free and open source. If it not yet installed on your system as part of another package (it is used by many video/audio editors), then install it:
sudo apt-get install ffmpeg

*To convert many different formats, read the [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html FFMPEG documentation]. Also see [http://howto-pages.org/ffmpeg/ this tutorial].

=== Flash video (.flv) to MPG-2 using FFMPEG ===
* To convert a saved Flash video (.flv) to an MPEG-2 format playable on a DVD, convert:
ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd ''samplevideo.mpg''

* Then use [[Kubuntu:Oneiric#K3b (CD/DVD burner)|K3b]] (or [[Ubuntu:Oneiric#Gnomebaker (CD/DVD burner)|Gnomebaker]]) to write the mpg file to a New DVD Data Project.

:*For PAL use -target pal-dvd. For widescreen, use -target film-dvd. For other conversion tips, see [http://ubuntuforums.org/archive/index.php/t-1006250.html this forum]. (Note: Most Flash video has very low resolution, with a screen size of 360x270, for example. You may see a slight diminishment in resolution if you wish to convert it to 720x480 (which is the NTSC standard size) or other screen size. You can keep the original screen size and resolution by omitting the -target parameter.) If your original file is 16:9 widescreen and you desire a 4:3 letterbox output for playing on an overscanned TV, you may need to pad the file so that the widescreen is not compressed (see [http://ubuntuforums.org/showthread.php?t=1010648 this forum]):

ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 ''samplevideo.mpg''

* You can also use the WinFF GUI and add the command (as above) as a "Preset," for subsequent use. For example:
:Video converter (WinFF) -> Edit -> Presets ->
:: Preset Name: Letterbox -> Preset Label: 16:9 Widescreen to 4:3 Letterbox
:: Preset command: -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58
::Ouput file extension: mpg -> Category: DVD
:::-> Add/Update -> Save

*To convert to MPEG-4 (mp4) files, use
ffmpeg -i ''samplevideo.flv'' ''outputvideo.mp4''

* FFMPEG requires that multiple [[Kubuntu:Oneiric#Restricted Extras|restricted extra codecs]] be installed. This can be done in a single easy step from the command-line Terminal:
sudo apt-get install kubuntu-restricted-extras
:or
sudo apt-get install ubuntu-restricted-extras

=== Convert to .MP3 audio file using FFMPEG ===
==== Convert Flash video audio to mp3 ====
* Once you have downloaded flash video content (.flv) from the Internet (using the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video Download Helper plug-in for Firefox]], for example), the audio component can be converted to an mp3 using this command (from the command line Terminal). (This will work for any type of video file, not just Flash.)
ffmpeg -i ''nameofvideoclip.flv'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''

:where -i indicates the input, -ab indicates the bit rate (in this example 160kb/sec), -vn means no video ouput, -ac 2 means 2 channels, -ar 44100 indicates the sampling frequency. See [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html#SEC11 FFMPEG docs] for more info.

If I only want a segment of the video to be converted, I can use the time markers:
ffmpeg -i ''nameofvideoclip.flv'' -ss ''00:00:09'' -t ''00:03:00'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''
:where -ss ''00:00:09'' indicates the point in the video (hh:mm:ss) at which to start conversion and -t ''00:03:00'' indicates the amount of time (from the start point) to convert.

* As long as [[#FFMPEG|FFMPEG]] is already installed, the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video DownloadHelper plug-in for Firefox]] already has an option to automatically convert an online video (such as those found at YouTube) into an .MP3 file. (Settings are adjustable.) From the DownloadHelper icon in Firefox, highlight the video to convert, then
:DownloadHelper icon -> Download and Convert -> Converter options: MP3

=== Edit/convert screencapture with FFMPEG ===
''Note: This section under construction.''

*Note: I now recommend using [[Video_Conversion|mencoder for all video conversion]] techniques. It uses some of the ffmpeg libraries but is faster and gives more reliable and high-quality results.

*This is only one example of a wide variety of techniques. Once I have a [[Screencasts#FFMPEG_with_x11grab|captured video]], I want to convert it to XVID video (which is the format my older DVD player accepts) and MP3 audio (mp3lame), which I will place in an AVI container (which my DVD player also accepts).

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -acodec libmp3lame -ss 00:00:09 -t 00:03:00 ''Punchcast2.avi''

I will start conversion (-ss) at second 9 (to eliminate unimportant things at the beginning) and convert 3 minutes (-t) of video (00:03:00).

* I happen to watch my screencasts on my old-fashioned 4:3 television. To do that, I make a letterboxed video:

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 -acodec libmp3lame ''Punchcast3.avi''

My laptop screen is 1366x768, which I reduce to a size of 648x364. My TV wants 720x480, so I pad the sides and top/bottom. Why not a width of 720 initially? My older television has 10% overscan, which cuts off 10% of the video. I therefore use (at least) 10% padding on the edges.

In newer versions of FFMPEG, the padding (and many other) options have changed. The proper command is now:
ffmpeg -i Punchcast1.avi -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -vf pad 720:480:36:58 -acodec libmp3lame Punchcast3.avi

ffmpeg movie=Punchcast1.avi:seek_point=9 -vcodec copy -acodec libmp3lame Punchcast1f.avi

=== WinFF (FFMPEG GUI) ===
[http://winff.org WinFF] is a free, GPL-licensed open source GUI frontend for FFMPEG. Install:
sudo apt-get install winff xterm
Run:
:Menu -> Applications -> Sound & Video -> WinFF

== VobSub2SRT (Convert subtitles from .sub/.idx to .srt) ==
* [https://github.com/ruediger/VobSub2SRT VobSub2SRT] is a simple (GPLv3-licensed) command line program to convert the image-based .idx / .sub subtitle files (used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs) into text-based [http://en.wikipedia.org/wiki/SubRip .srt] text subtitle files by using OCR. It is based on code from the [[Ubuntu:All#MPlayer_Multimedia_Player|MPlayer]] project, [[Ubuntu:All#Tesseract_.28Optical_Character_Reader.29|Tesseract]] as OCR software, and libavutil (part of the [[Ubuntu:All#FFMPEG_video_.2F_audio_conversion|FFmpeg]] project). Install the (K)Ubuntu/Debian (.deb) package from a PPA repository:
sudo add-apt-repository ppa:ruediger-c-plusplus/vobsub2srt
sudo apt-get update
sudo apt-get install vobsub2srt

* Alternatively, you can download and build a version from source code.
:* Install dependencies:
sudo apt-get install pkg-config build-essential cmake libavutil-dev libtesseract-dev

:* For (K)Ubuntu 12.10 (Quantal) also install:
sudo apt-get install libtiff5-dev tesseract-ocr-eng

:* For (K)Ubuntu 12.04LTS (Precise) also install:
sudo apt-get install libtiff4-dev tesseract-ocr tesseract-ocr-eng 

::* If you will be converting subtitles in languages other than English, you must install tesseract for any or all of those languages as well:
sudo apt-get install tesseract-ocr-vie tesseract-ocr-deu tesseract-ocr-fra tesseract-ocr-ita
sudo apt-get install tesseract-ocr-nld tesseract-ocr-spa tesseract-ocr-por tesseract-ocr-deu-f
::where vie is for Vietnamese, deu is for German, fra is for French, ita is for Italian, nld is for Dutch, spa is for Spanish, por is for Portugeuse, and deu-f is for German Fraktur script. If you don't you will get an error of the type: ''Unable to load unicharset file /usr/share/tesseract-ocr/tessdata/xxx.unicharset''.

:* Download and unzip the VobSub2SRT .zip file into its own directory:
mkdir vobsub2srt
cd vobsub2srt
wget -O vobsub2srt-current.zip <nowiki>https://github.com/ruediger/VobSub2SRT/zipball/ca53a18108eb08d6e2b853643d8c6838e2489823</nowiki>
unzip vobsub2srt-current.zip
rm vobsub2srt-current.zip

:* This will create a subdirectory with the current version. For example, my version is ''vobsub2srt/ruediger-VobSub2SRT-ca53a18''. Change into that directory then compile and install the program.
cd ''ruediger-VobSub2SRT-ca53a18''
./configure
make
sudo make install

:* This should install the program vobsub2srt to /usr/local/bin. You can uninstall vobsub2srt with ''sudo make uninstall''. You can build a *.deb package (Debian/Ubuntu) with ''make package''. The package is created in the build directory.

* Convert the .sub / .idx pair of subtitle files (named ''Filename.sub'' and ''Filename.idx'') into a .srt sbutitle file (named ''Filename.srt''):
vobsub2srt ''Filename''

:where Filename is the file name of the subtitle files WITHOUT the extension (.sub / .idx).

*If there are multiple languages in the .sub / .idx pair of subtitle files, you can select which language to convert (using the 2-letter [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639-1] language code, e.g. en, fr, de, it, es, pt, etc.):
vobsub2srt --lang en ''Filename''

* Edit the .srt subtitle file for OCR mistakes (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
kate ''Filename.srt''

== Join .MPG video segments ==
Individual video segments (MPEG-2, for example) can easily be joined:
cat ''samplevideo1.mpg'' ''samplevideo2.mpg'' ''samplevideo3.mpg'' > ''samplevideo123.mpg''

:You can then write the resulting MPEG-2 file to a DVD and play it in most DVD players.

== Split a file into segments ==
Any file can be [http://en.wikipedia.org/wiki/Split_%28Unix%29 split] into segments using the Linux command:
split -b 1440k ''my_big_file''

which will split ''my_big_file'' into equal segments of size 1440 kb.

== Create a commercial (.vob) format DVD ==
* The audiovideo container of commercial DVDs uses the [http://en.wikipedia.org/wiki/VOB .vob format]. This container requires either MPEG-1 or MPEG-2 video (.mpg) and either AC3 or MPEG-2 (.mp2) audio. Therefore, the first step in creating a DVD-video in this format is to convert all audiovisual files (to be included on it) to .mpg files (with one of those video and audio formats), usually with the MPEG-PS (A+V) container. This can be done from the command-line terminal (using mencoder or ffmpeg) or from a GUI utility (such as Avidemux).

:* The GUI utility [[Kubuntu_Precise_Video#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a GUI utility that has standardised settings for file conversion. [http://avidemux.org/admWiki/doku.php?id=tutorial:converting_to_dvd Here] is the Avidemux tutorial for conversion to a DVD-video.

::* Open the file and allow the time map and Index to be rebuilt.
::* It is best to convert a file (to be included on the DVD) to a format with MPEG-2 (avcodec) video, AC3 (lav) audio, and the MPEG-PS (A+V) container as an intermediate first. The MP2 audio format (the default for Avidemux in "Auto" mode) can also be used, and will result in a much smaller .mpg file then when using AC3 audio, but several of my very old DVD players only recognise AC3 audio (so this has therefore become my personal preference).
:::* The easiest method for doing this is to use the Avidemux Auto DVD wizard. (Avidemux -> Auto -> Optical Disc -> DVD). Select the appropriate souce and destination ratios. (My source videos are usually already in 16:9 widescreen formats, and I want to make DVDs for my widescreen 16:9 TV. I therefore choose 16:9 for both the "Source Aspect Ratio" and the "Destination Aspect Ratio.") The Auto DVD Wizard uses MP2 audio by default, but I personally like AC3 audio instead (the format usually used on "commercial" DVDs). I therefore change this using the Audio -> AC3 (lav) option.
:::* It is possible to customise (or initially set) the format options manually as well (see the Avidemux documentation). Select the Video (and make sure the aspect ratio is the one you desire in Video -> Configure -> Configuration: DVD -> Aspect Ratio: ''16:9'' ), Audio, and (container) Format options.
::::* To be DVD compliant, the resolution must be
:::::* 352*480 or 720*480 or 704*480 for NTSC
:::::* 352*576 or 720*576 or 704*576 for PAL/SECAM
:::: This is set automatically if using the Auto DVD wizard. If your original video does not already have the correct aspect ratio, you will have to use cropping, scaling, and/or black bar "Filter" options until one of the standard resolutions is achieved.

::* Save the file ( Avidemux -> File -> Save -> Save Video... -> ''myconvertedvideo.mpg'' ) to activate the conversion process. (If prompted whether to "Reuse the existing log file?" answer "No.")

:* Alternatively, mencoder can be used from the command-line to [[#AVI_to_MPG|convert a file to the .mpg format]].

:* Alternatively, FFMPEG can be used from the command-line to [[#Flash_video_.28.flv.29_to_MPG-2_using_FFMPEG|convert a file to the .mpg format]]. A simplified preset option for for conversion to both PAL and NTSC options is available.

* Once all files to be included on the DVD-video have been converted to .mpg files, the utility [[Kubuntu_Precise_Audio_Video_Conversion#DVD_Author|dvdauthor]] can be used for conversion to .vob format (appropriate for writing to the DVD). While this utility can be used from the command-line, "authoring" (conversion) is more easily accomplished using one of several available [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|GUI front-ends]], which allow creation of menus for the DVD as well.

::* With Kubuntu I use KMediaFactory for simple projects. (QDVDAuthor, which is difficult to install in recent Kubuntu versions, is superior and more powerful. [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|KMediaFactory]], in contrast, is in the repositories and is adequate (and quick) for most purposes.
:::* Rename the .mpg files (created with Avidemux or other method) carefully. The filename(s) becomes the Title(s) used by KMediaFactory for the video(s) on the DVD menu.
:::* Set up the DVD menu in KMediaFactory.
::::* KMediaFactory -> Project -> Title -> ''MyDVDTitle'' (this will appear on the DVD Menu at the top)
::::* -> Type: ''DVD-NTSC'' -> Aspect: ''16:9'' -> Destination Folder ''/home/user/DVDs''
:::* Add the .mpg files to the DVD.
::::* KMediaFactory -> Media -> Add Video -> ''MyFirstVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::::* -> Add Video -> ''MySecondVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::* Choose the DVD Menu appearance.
::::* KMediaFactory -> Template -> ''Preview 3''
:::* Choose the output format. For this, I generally create a "DVD folder" which I can then check using [[Kubuntu_Precise_Media_Players#VLC_Multimedia_Player|VLC]] to make sure my DVD looks the way I had intended. (VLC -> Media -> Open Disc... -> Browse... -> ''specified_folder'' -> Play)
::::* KMediaFactory -> Output -> DVD Folder
:::* Start the conversion ("DVD authoring") process. If an error appears, the problem usually lies in a non-existent (or write-protected) folder having been specified when setting the "Title" options. Make sure the folder has been specified properly. KMediaFactory will then create the standard AUDIO_TS and VIDEO_TS folders in the folder specified.
::::* -> Start

::* In Kubuntu I then use [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|K3b]] to burn the AUDIO_TS and VIDEO_TS folders to a blank DVD. This can be done in K3b using the "New Video DVD Project" (K3b -> More actions... -> New Video DVD Project) using the AUDIO_TS and VIDEO_TS folders as the data. Edit the name of the DVD to reflect the desired DVD name. "Burn" the DVD. The result will be identical to commercial DVDs. (Note: In recent versions of K3b I have had to "Burn" using the "growisofs" Writing app at 8x Speed and DAO (Disc-At-Once) Writing Mode in order to achieve reliable burns. See [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|here]] for more details.)

== Recommended formats ==
* There is only one format that works on all my devices (computer (both Linux and Windows), (Android) tablet, (Android) eBook reader, MP3 player, DVD player):
:* .AVI container with XVID/DivX video codec and MP3lame (MP3) audio codec

:I use this for all my devices, and encode files to about 700 MB. This is a good size that gives good quality and allows me to fit many videos on a single SDcard (which I use in my mobile devices). For most of my devices, a 128 kb MP3 encoding bitrate is sufficient; I previously encoded at 192 kb for MP3lame (which is the default bitrate for AC3 sound), but I find this bitrate to be unnecessary. (The higher the encoding bitrate, the larger the encoded file, and I try to keep all my files around 700 MB.) The .AVI container has several limitations: it does not allow more than stereo audio (i.e. no 5.1 surround sound), does not allow multiple subtitle files, and requires a constant bitrate (CBR) audio channel. For advanced archival purposes it may not be suitable in the long-term, but currently it is desirable for the wide range of devices that accept it. It is also one of the only containers guaranteed to be accepted by Windows computers (since the container is originally a Windows-based format).

* I am also able to use an .MP4 container with X264/H.264 video codec and either the AAC audio codec or the MP3lame (MP3) audio codec on many devices, but not all. Neither the X264/H.264 video nor the AAC audio will play on my DVD player or MP3 player, for example (though it plays on my computer and Android tablet devices).

:* The related .M4V container (the proprietary Apple Quicktime format) works on almost none of my devices, and, furthermore, is difficult to decode and re-encode to a different container. I shun this format like the plague.

* The newer .MKV container, though open source and a superior container, is accepted by very few of my older devices. It does not play on my (older) DVD player or MP3 player, for example (no matter which video and audio codecs are used).

:Nevertheless, most newer DVD players seem to accept the .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. Over the years, however, I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at [http://www.bestbuy.com/site/Philips+-+DVD+Player+with+HD+Upconversion/4983625.p;jsessionid=436B03D27CA483A9AB8EC510D0B2B03C.bbolsp-app01-115?id=1218644449769&skuId=4983625&st=philips&cp=1&lp=15 Best Buy] for $40). I highly recommend this player, therefore, if you find yourself with a large collection of .AVI / XVID video files. However, it does not play MP4 files, which is a drawback. (Note: I am told that [http://www.amazon.com/Philips-Region-1080p-Upconverting-Player/dp/B004BI6MVS/ref=pd_cp_e_0#productDescription this upconverting Philips DVD] player will play region-free, both PAL and NTSC formats, and both MP4 and DivX/XVID codecs.)

* My Android (2.3) tablet devices will also not accept the AC3 audio codec (which is the standard audio used on commercial DVDs, for example), so most of the time I re-encode any files having AC3 audio with the MP3lame audio codec instead.

Template:Video Conversion

Perspectoff — Sat, 27 Apr 2013 21:07:10 GMT

Perspectoff: /* Create a commercial (.vob) format DVD */

= Video Conversion =
This guide does not advocate the illegal duplication of copyrighted content. However, fewer and fewer devices use DVDs any longer, and a large amount of video content is distributed on DVDs. It becomes necessary to convert video content into formats that can be viewed on devices that no longer used DVDs. Furthermore, online content is often in a format that is not universally playable and this also requires conversion. Trying to select and encode a video into a format which your device accepts is not always a straightforward task.

== Introduction ==
There are lots of video and audio codecs and lots of methods and preferences for converting between formats. These are only some basic examples. A good deal of trial and error is often required for successful video conversion.

* Mencoder and FFMPEG are the two packages that are the workhorses of video conversion. Of these, mencoder is faster and generally gives better results.

* [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]] uses a streaming algorithm and FFMPEG to "rip" DVDs and can work with many different encryption methods. It uses the (superior, open source) [http://en.wikipedia.org/wiki/Matroska .MKV] container only, however (which is not supported by many devices). It also does not support [http://en.wikipedia.org/wiki/Xvid XVID] (and uses either [http://en.wikipedia.org/wiki/X264 X264/H.264] or [http://en.wikipedia.org/wiki/MPEG-4_Part_14 MP4] video codecs) and therefore its video output is also not universally accepted by a wide range of devices. As these standards become more widely accepted, however, this will be an invaluable encoding tool. On rare occasions I rip a video with Handbrake (to .MKV and H.264/MP3) and then convert it to .AVI (XVID/MP3) in a second step (using mencoder).

* When I originally wrote these articles, .MKV was accommodated by only a handful of DVD players. A recent survey of new DVD players shows that most (including widely available inexpensive DVD players) will now play files in .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. However, over the years I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at Best Buy for $40). I highly recommend this player if you find yourself with a large collection of .AVI / XVID video files.

== Mencoder ==
[http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html Mencoder] is part of the [http://www.mplayerhq.hu/DOCS/HTML/en/index.html MPlayer] set of libraries (that also uses several of the FFMPEG libraries) for audio/visual conversion. If it is not installed on your system, install it:
sudo apt-get install mencoder

Usage instructions can be found from the command-line (''man mencoder'') or [http://linux.die.net/man/1/mencoder here].

=== MP4 with AAC audio to AVI with Xvid / MP3 ===
* The [http://en.wikipedia.org/wiki/Advanced_Audio_Coding#Licensing_and_patents AAC audio codec] is not compatible with many DVD players and devices due to licensing restrictions, whereas the MP3 audio codec is nearly universally accepted. Xvid is the open source version of the DivX video codec and is accepted by a very large number of DVD players and other devices (even older ones, especially those displaying the DivX logo).

* The [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container only allows a [http://en.wikipedia.org/wiki/Constant_bitrate constant bitrate], so the MP3 audio must be encoded at CBR. If the AAC is [http://en.wikipedia.org/wiki/5.1_surround_sound 5.1], it will be downcoded to stereo for MP3.

* This example is a two-pass technique that allows the file size to be specified and quality optimized for that filesize (using the information generated in the first pass). In this example, a 700 MB file is desired (and is specified by the negative value).

This information is from [http://en.gentoo-wiki.com/wiki/HOWTO_Mencoder_Introduction_Guide#XviD the Gentoo Wiki for Xvid and mencoder].

mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

=== Remove MKV subtitles and convert to AVI (XVID/MP3) ===
Mastroska container ([http://en.wikipedia.org/wiki/Matroska .MKV]) video files can have multiple subtitles included. In the default conversion from an .MKV container format to an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container format, the default subtitle file of the .MKV container is automatically hardcoded into the converted .AVI file, which may be undesirable. To overcome this behaviour (so that the converted .AVI has no subtitles), use the ''-sid 999'' option:

mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=1 -o /dev/null
mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

* To hardcode one of the subtitle tracks onto the .AVI video from the .MKV video, choose the subtrack ID, such as ''-sid 0'' or ''-sid 1''.

* If using NTFS and the error

Too many audio packets in the buffer: (4096 in 837540 bytes).
> Maybe you are playing a non-interleaved stream/file or the codec
> failed? For AVI files, try to force non-interleaved mode with the
> -ni option.

appears, then add these options:
-mc 0 -ofps 24000/1001 -noskip

=== DVD to AVI with Xvid / MP3 ===
* See the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-dvd-mpeg4.html mencoder documentation].
* Extract a video (in the .vob format) from a DVD to a file with an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container and [http://en.wikipedia.org/wiki/Xvid XVID]/DivX video and [http://en.wikipedia.org/wiki/LAME .MP3] audio using this (2-pass conversion) command:
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

where dvd://''1'' indicates the first track of the DVD. If you are not sure which track contains the content you wish to extract to a file, one way to check this is to play the DVD with a media player like VLC, examining the tracks on it:
:VLC -> Media -> Open Disc... -> Play -> Playback -> Navigation

or from the command line install lsdvd (''sudo apt-get install lsdvd'') and use it:
lsdvd -v -t 1 /dev/dvd

This will show a list of the title numbers (for the content tracks) on the DVD (and information about them). Use the title number for the content to be extracted.

* Conversion is much faster when done from from a hard drive than from a physical DVD. It is possible to copy the VIDEO_TS and AUDIO_TS folders from the physical DVD to a folder on the hard drive. Once you have copied the contents of the DVD to a folder, add the ''-dvd-device /path/to/dvd_folder'' option to specify it (with the same options as above in addition to the new one):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder''

* Note the ''-vobsub 999'' option to prevent subtitles from being automatically added. (If you wish to hardcode subtitles, use the number of the subtitle track, such as ''-sid 0'' or ''-vobsubid 0'' for the default subtitle track or ''-sid 1'' or ''-vobsubid 1'' for the next subtitle track.)

* Other options for video cropping and scaling can be used. See [http://www.axllent.org/docs/video/mencoder_dvd_to_mpeg4 these hints] and [http://savvyadmin.com/tag/xvid/ these tips], as well as [[#Resize_a_video|this section]].

* When better audio quality is desired, an audio [http://en.wikipedia.org/wiki/Bit_rate bitrate] more than 128 kb/sec can be used (e.g. ''br=160'' or ''br=192''), but this will give a larger file (or will decrease video quality if the filesize remains constant). cbr (constant bitrate) is used for mp3lame encoding in .AVI; I generally increase the volume of the video by 30% using the vol=3 option, as well. My final audio command therefore usually ends up: ''-oac mp3lame -lameopts cbr:br=128:vol=3''.

* If there are multiple audio tracks, the audio track can be selected with the ''-aid 1'' (or similar) option, specifying the number of the desired audio track. (Note: check audio track numbering carefully.) The English default audio track is usually ''-aid 128''. To show information about the audio tracks, use
lsdvd -a -t 1 /dev/dvd

* Although the ''bitrate=-700000'' option specifies a target file size of 700000 (approx. 700 MB), this actually results in a file size of nearly 800 MB. Specify a target filesize about 15% less than actually desired, therefore. For a target 700 Mb file, for example, I use ''bitrate=-620000''.

* For XVID there is an option to allow video seeking (for fast forwarding or rewinding) in 1 second increments (instead of the default 10 second increments): ''-xvidencopts max_key_interval=25'' (seek every 25 frames instead of the default 250 frames). This would be included as part of a more complex option string, such as ''-xvidencopts pass=2:max_key_interval=25:bitrate=-620000''.

* In order to play the converted .AVI file on my older DVD players and televisions (and avoid significant motion artifacts and pixelation), I find that I must use deinterlacing. Only two interlacing methods have worked well for me: ''-vf pp=lb'' or ''-vf yadif=0''. There are many methods of deinterlacing for mencoder, however (see [http://guru.multimedia.cx/deinterlacing-filters/ here] and [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html here], for example). Deinterlacing may not be necessary for your needs (when used for archival purposes only, for example, or if viewing files with media players (such as VLC) that already have built-in deinterlacing capabilities). Often recommended when ripping NTSC-format movies (progressive or telecined) is to include the option ''-vf pullup,softskip,harddup'', which must be used with a deinterlacing filter, such as ''-vf pullup,softskip,pp=lb,harddup'' (or ''-vf pullup,softskip,yadif=0,harddup''). The order of the telecine/progressive option, the deinterlacing option, and any cropping or scaling options is very specific -- read the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html#menc-feat-telecine-encode mencoder documentation] carefully when mixing these options. Specifically, cropping and scaling (when used) should be done after the telecine/progressive/deinterlacing options but before the frame duplication option, e.g. ''-vf pullup,softskip,pp=lb,crop=720:416:0:80,scale=704:304,harddup''.

* Note: You will need [[Kubuntu_Precise_Audio_Video_Conversion#libdvdcss|libdvdcss2]] installed on your system to access DVD data. If your DVD has encryption that is not able to be decrypted by libdvdcss, then consider using [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]], which uses a streaming algorithm to "rip" DVDs.

* This is the 2-pass command I end up using most often (with 4:3 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

* This is the 2-pass command I end up using most often (with 16:9 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

:The scale option is set so that I can play the video on analogue televisions with overscan (I still have a few of those). However, an alternative is to use ''scale=720:406'' for use on most widescreen TVs.

==== Using k9copy as a conversion front-end ====
* [[Kubuntu_Precise_Audio_Video_Conversion#K9copy_.28DVD_Ripper.29|k9copy]] is a good front-end for mencoder (as well as ffmpeg).
* To add an option to encode to XVID from an NTSC DVD (when using mencoder within k9copy), I add the necessary options to the Video codecs section:
:k9copy -> Configure k9copy -> Encoders -> ''mencoder'' -> Add -> label: ''XVID from NTSC'' -> first pass ->
-ovc xvid -xvidencopts bitrate=$VIDBR:turbo:pass=$PASS:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

The same command is entered for the "second pass" option as well. For the "one pass" option enter:
-ovc xvid -xvidencopts bitrate=$VIDBR:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

* To then use this new Video codec option, make sure it is selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Video -> Codec -> ''XVID from NTSC'' -> 2 pass (''ticked'') -> Apply

At the same time, the MP3 (lame) Audio codec option can be selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Audio -> Codec -> ''mp3 (lame)'' -> OK

* Now when the Output: ''MPEG-4 encoding'' is selected from the main screen, this "XVID from NTSC" Video encoding option will be used.

* Note that the ''-vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup'' option can be used with any Video codec, not just XVID.

=== AVI to MPG ===
* The MPG format is sometimes useful for creating DVDs (using the [http://en.wikipedia.org/wiki/MPEG-1 MPEG-1] or [http://en.wikipedia.org/wiki/MPEG-2 MPEG-2] video codec, which can be then used for vob files using [[Ubuntu:All#DVD_Author|QDVDAuthor]] or [[Ubuntu:All#ToVid|ToVid]]). If the audio codec of the AVI file is already AC3 or MP3, it usually can be copied. This example is take from the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-mpeg.html MPlayer/Mencoder documentation]. Example:

mencoder <input.avi> -of mpeg -ovc lavc -lavcopts vcodec=mpeg1video -oac copy -o <output.mpg>

=== Increase volume ===

* Use the ''-af volume=3:0'' option, where the first number (3 in the example) is the number of decibels to increment the volume (a 3 db increment doubles the volume), and the second number is 0 for hard-clipping and 1 to allow software-based clipping (to prevent oversaturation when the sound becomes too loud).

For example, if I want to double the sound volume of my .AVI video:

mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128 -af volume=3:0 -o <output.avi>

* This can also be done when encoding to the mp3lame audio codec by adding an option to the mp3lame options:
mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128:vol=3 -o <output.avi>

:where ''vol=3'' can be set to any value between -10 and 10. I use ''vol=3'' to increase the volume 30%. (This method works best for me.)

=== Add subtitles to video ===
* [http://en.wikipedia.org/wiki/SubRip .srt] subtitle files are essentially text files with time stamps. They are meant to be used with digital video files (such as .AVI files) and are different from the image-based .idx / .sub subtitle files (vobsub) used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs.

* Using mencoder:
mencoder -ovc [codec] [codec opts] -oac copy -sub [sub file.srt] -subfont-text-scale [3 normally]

In the example above, this would be:
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

*Note: When adding subtitles to an .AVI video, you must transcode it completely. It is not sufficient to merely add the subtitle track as listed above -- the entire video must be re-transcoded. So, for example:

mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

=== Trim a video ===
*Using mencoder:

mencoder <input.avi> -ovc copy -oac mp3lame -ss 01:57:12 -endpos 00:04:08 -o <output.avi>

where -ss indicates the start position of the clip (hh:mm:ss) and -endpos indicates how long the clip should be. (I use mp3lame for the audio codec because YouTube accepts that.)

=== Resize a video ===
*Using mencoder:
mencoder <input.avi> -ovc xvid -vf scale=320:240 -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

where -vf scale=320x240 indicates that the resulting video should be of that size. The position of the suboption in the command string is important.

* [http://en.wikipedia.org/wiki/High-definition_television HDTV] resolution is usually 1920 x 1080 ("1080p") or 1280 x 720 ("720p"). A [http://en.wikipedia.org/wiki/Standard-definition_television standard definition] widescreen TV has a maximum height of "480p" (usually 853 x 480 but sometimes 720 x 406). The standard width:height [http://en.wikipedia.org/wiki/Aspect_ratio_%28image%29 aspect ratio] for cinema is 1.85:1, whereas the average aspect ratio for widescreen movies distributed for display on television is 16:9 (1.78:1). When resizing a video, it is good to know the original dimensions of the video and maintain the width to height aspect ratio in the chosen scale.

:*Example: A video is distributed as 1280 x 692 (which has an aspect ratio of 1.85:1). The device (a low resolution television) on which it is to be displayed has a maximum width of 720. The desired resolution would then be 720 x 390 to keep the aspect ratio at approximately 1.85:1. The option would then be ''-vf scale=720:390''. An analog television would require 10% [http://en.wikipedia.org/wiki/Overscan overscan], making the maximum width 648. To keep an aspect ratio of 1.85:1 would require a resolution of 648 x 350, or a scale option of ''-vf scale=648:350''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on a television with a maximum width of 720p, which would require a final resolution of 720 x 406 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=720:406''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on an analogue television with 10% [http://en.wikipedia.org/wiki/Overscan overscan], which would require a final resolution of 648 x 364 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=648:364''.

* [http://en.wikipedia.org/wiki/Standard-definition_television "Standard" definition] [http://en.wikipedia.org/wiki/Analog_television analog television] has a 4:3 ratio, for which a scale of 640:480 (''-vf scale=640:480'') is generally preferable.

=== Convert to .MP3 audio file ===
* I find [[#Convert_to_.MP3_audio_file_using_FFMPEG|FFMPEG]] to be easier for this task.

* (''Under construction'') To use Mplayer to extract audio to pcm .wav file:
mplayer <input.avi> -vc null -oa pcm -aofile -ss 1441.4 -endpos 260.1 <output.wav>

*Then convert the .wav file to .mp3 with your favourite converter (such as SoundConverter).

=== Change audio track of video ===
* In general, [[All#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a good video editor for most needs, including muxing and demuxing video and audio.

* For a quick method to change the audio for a video, I like to merely remove the audio from the original video file using the ''-nosound'' option, for example:

mencoder <input.avi> -ovc copy -nosound -o <outputnosound.avi>

* Then, I add a new audio file as the audio track to the video using the ''-audiofile'' option. For example, if I now want to add an .mp3 audio track named <newaudio.mp3>, I would use the command:

mencoder <outputnosound.avi> -ovc copy -oac mp3lame -audiofile <newaudio.mp3> -o <output.avi>

== FFMPEG ==
[http://ffmpeg.org/ FFMPEG] is the swiss-army knife of video and audio format conversion. It succeeds when no other program can. It is free and open source. If it not yet installed on your system as part of another package (it is used by many video/audio editors), then install it:
sudo apt-get install ffmpeg

*To convert many different formats, read the [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html FFMPEG documentation]. Also see [http://howto-pages.org/ffmpeg/ this tutorial].

=== Flash video (.flv) to MPG-2 using FFMPEG ===
* To convert a saved Flash video (.flv) to an MPEG-2 format playable on a DVD, convert:
ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd ''samplevideo.mpg''

* Then use [[Kubuntu:Oneiric#K3b (CD/DVD burner)|K3b]] (or [[Ubuntu:Oneiric#Gnomebaker (CD/DVD burner)|Gnomebaker]]) to write the mpg file to a New DVD Data Project.

:*For PAL use -target pal-dvd. For widescreen, use -target film-dvd. For other conversion tips, see [http://ubuntuforums.org/archive/index.php/t-1006250.html this forum]. (Note: Most Flash video has very low resolution, with a screen size of 360x270, for example. You may see a slight diminishment in resolution if you wish to convert it to 720x480 (which is the NTSC standard size) or other screen size. You can keep the original screen size and resolution by omitting the -target parameter.) If your original file is 16:9 widescreen and you desire a 4:3 letterbox output for playing on an overscanned TV, you may need to pad the file so that the widescreen is not compressed (see [http://ubuntuforums.org/showthread.php?t=1010648 this forum]):

ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 ''samplevideo.mpg''

* You can also use the WinFF GUI and add the command (as above) as a "Preset," for subsequent use. For example:
:Video converter (WinFF) -> Edit -> Presets ->
:: Preset Name: Letterbox -> Preset Label: 16:9 Widescreen to 4:3 Letterbox
:: Preset command: -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58
::Ouput file extension: mpg -> Category: DVD
:::-> Add/Update -> Save

*To convert to MPEG-4 (mp4) files, use
ffmpeg -i ''samplevideo.flv'' ''outputvideo.mp4''

* FFMPEG requires that multiple [[Kubuntu:Oneiric#Restricted Extras|restricted extra codecs]] be installed. This can be done in a single easy step from the command-line Terminal:
sudo apt-get install kubuntu-restricted-extras
:or
sudo apt-get install ubuntu-restricted-extras

=== Convert to .MP3 audio file using FFMPEG ===
==== Convert Flash video audio to mp3 ====
* Once you have downloaded flash video content (.flv) from the Internet (using the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video Download Helper plug-in for Firefox]], for example), the audio component can be converted to an mp3 using this command (from the command line Terminal). (This will work for any type of video file, not just Flash.)
ffmpeg -i ''nameofvideoclip.flv'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''

:where -i indicates the input, -ab indicates the bit rate (in this example 160kb/sec), -vn means no video ouput, -ac 2 means 2 channels, -ar 44100 indicates the sampling frequency. See [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html#SEC11 FFMPEG docs] for more info.

If I only want a segment of the video to be converted, I can use the time markers:
ffmpeg -i ''nameofvideoclip.flv'' -ss ''00:00:09'' -t ''00:03:00'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''
:where -ss ''00:00:09'' indicates the point in the video (hh:mm:ss) at which to start conversion and -t ''00:03:00'' indicates the amount of time (from the start point) to convert.

* As long as [[#FFMPEG|FFMPEG]] is already installed, the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video DownloadHelper plug-in for Firefox]] already has an option to automatically convert an online video (such as those found at YouTube) into an .MP3 file. (Settings are adjustable.) From the DownloadHelper icon in Firefox, highlight the video to convert, then
:DownloadHelper icon -> Download and Convert -> Converter options: MP3

=== Edit/convert screencapture with FFMPEG ===
''Note: This section under construction.''

*Note: I now recommend using [[Video_Conversion|mencoder for all video conversion]] techniques. It uses some of the ffmpeg libraries but is faster and gives more reliable and high-quality results.

*This is only one example of a wide variety of techniques. Once I have a [[Screencasts#FFMPEG_with_x11grab|captured video]], I want to convert it to XVID video (which is the format my older DVD player accepts) and MP3 audio (mp3lame), which I will place in an AVI container (which my DVD player also accepts).

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -acodec libmp3lame -ss 00:00:09 -t 00:03:00 ''Punchcast2.avi''

I will start conversion (-ss) at second 9 (to eliminate unimportant things at the beginning) and convert 3 minutes (-t) of video (00:03:00).

* I happen to watch my screencasts on my old-fashioned 4:3 television. To do that, I make a letterboxed video:

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 -acodec libmp3lame ''Punchcast3.avi''

My laptop screen is 1366x768, which I reduce to a size of 648x364. My TV wants 720x480, so I pad the sides and top/bottom. Why not a width of 720 initially? My older television has 10% overscan, which cuts off 10% of the video. I therefore use (at least) 10% padding on the edges.

In newer versions of FFMPEG, the padding (and many other) options have changed. The proper command is now:
ffmpeg -i Punchcast1.avi -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -vf pad 720:480:36:58 -acodec libmp3lame Punchcast3.avi

ffmpeg movie=Punchcast1.avi:seek_point=9 -vcodec copy -acodec libmp3lame Punchcast1f.avi

=== WinFF (FFMPEG GUI) ===
[http://winff.org WinFF] is a free, GPL-licensed open source GUI frontend for FFMPEG. Install:
sudo apt-get install winff xterm
Run:
:Menu -> Applications -> Sound & Video -> WinFF

== VobSub2SRT (Convert subtitles from .sub/.idx to .srt) ==
* [https://github.com/ruediger/VobSub2SRT VobSub2SRT] is a simple (GPLv3-licensed) command line program to convert the image-based .idx / .sub subtitle files (used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs) into text-based [http://en.wikipedia.org/wiki/SubRip .srt] text subtitle files by using OCR. It is based on code from the [[Ubuntu:All#MPlayer_Multimedia_Player|MPlayer]] project, [[Ubuntu:All#Tesseract_.28Optical_Character_Reader.29|Tesseract]] as OCR software, and libavutil (part of the [[Ubuntu:All#FFMPEG_video_.2F_audio_conversion|FFmpeg]] project). Install the (K)Ubuntu/Debian (.deb) package from a PPA repository:
sudo add-apt-repository ppa:ruediger-c-plusplus/vobsub2srt
sudo apt-get update
sudo apt-get install vobsub2srt

* Alternatively, you can download and build a version from source code.
:* Install dependencies:
sudo apt-get install pkg-config build-essential cmake libavutil-dev libtesseract-dev

:* For (K)Ubuntu 12.10 (Quantal) also install:
sudo apt-get install libtiff5-dev tesseract-ocr-eng

:* For (K)Ubuntu 12.04LTS (Precise) also install:
sudo apt-get install libtiff4-dev tesseract-ocr tesseract-ocr-eng 

::* If you will be converting subtitles in languages other than English, you must install tesseract for any or all of those languages as well:
sudo apt-get install tesseract-ocr-vie tesseract-ocr-deu tesseract-ocr-fra tesseract-ocr-ita
sudo apt-get install tesseract-ocr-nld tesseract-ocr-spa tesseract-ocr-por tesseract-ocr-deu-f
::where vie is for Vietnamese, deu is for German, fra is for French, ita is for Italian, nld is for Dutch, spa is for Spanish, por is for Portugeuse, and deu-f is for German Fraktur script. If you don't you will get an error of the type: ''Unable to load unicharset file /usr/share/tesseract-ocr/tessdata/xxx.unicharset''.

:* Download and unzip the VobSub2SRT .zip file into its own directory:
mkdir vobsub2srt
cd vobsub2srt
wget -O vobsub2srt-current.zip <nowiki>https://github.com/ruediger/VobSub2SRT/zipball/ca53a18108eb08d6e2b853643d8c6838e2489823</nowiki>
unzip vobsub2srt-current.zip
rm vobsub2srt-current.zip

:* This will create a subdirectory with the current version. For example, my version is ''vobsub2srt/ruediger-VobSub2SRT-ca53a18''. Change into that directory then compile and install the program.
cd ''ruediger-VobSub2SRT-ca53a18''
./configure
make
sudo make install

:* This should install the program vobsub2srt to /usr/local/bin. You can uninstall vobsub2srt with ''sudo make uninstall''. You can build a *.deb package (Debian/Ubuntu) with ''make package''. The package is created in the build directory.

* Convert the .sub / .idx pair of subtitle files (named ''Filename.sub'' and ''Filename.idx'') into a .srt sbutitle file (named ''Filename.srt''):
vobsub2srt ''Filename''

:where Filename is the file name of the subtitle files WITHOUT the extension (.sub / .idx).

*If there are multiple languages in the .sub / .idx pair of subtitle files, you can select which language to convert (using the 2-letter [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639-1] language code, e.g. en, fr, de, it, es, pt, etc.):
vobsub2srt --lang en ''Filename''

* Edit the .srt subtitle file for OCR mistakes (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
kate ''Filename.srt''

== Join .MPG video segments ==
Individual video segments (MPEG-2, for example) can easily be joined:
cat ''samplevideo1.mpg'' ''samplevideo2.mpg'' ''samplevideo3.mpg'' > ''samplevideo123.mpg''

:You can then write the resulting MPEG-2 file to a DVD and play it in most DVD players.

== Split a file into segments ==
Any file can be [http://en.wikipedia.org/wiki/Split_%28Unix%29 split] into segments using the Linux command:
split -b 1440k ''my_big_file''

which will split ''my_big_file'' into equal segments of size 1440 kb.

== Create a commercial (.vob) format DVD ==
* The audiovideo container of commercial DVDs uses the [http://en.wikipedia.org/wiki/VOB .vob format]. This container requires either MPEG-1 or MPEG-2 video (.mpg) and either AC3 or MPEG-2 (.mp2) audio. Therefore, the first step in creating a DVD-video in this format is to convert all audiovisual files (to be included on it) to .mpg files (with one of those video and audio formats), usually with the MPEG-PS (A+V) container. This can be done from the command-line terminal (using mencoder or ffmpeg) or from a GUI utility (such as Avidemux).

:* The GUI utility [[Kubuntu_Precise_Video#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a GUI utility that has standardised settings for file conversion. [http://avidemux.org/admWiki/doku.php?id=tutorial:converting_to_dvd Here] is the Avidemux tutorial for conversion to a DVD-video.

::* Open the file and allow the time map and Index to be rebuilt.
::* It is best to convert a file (to be included on the DVD) to a format with MPEG-2 (avcodec) video, AC3 (lav) audio, and the MPEG-PS (A+V) container as an intermediate first. The MP2 audio format (the default for Avidemux in "Auto" mode) can also be used, and will result in a much smaller .mpg file then when using AC3 audio, but several of my very old DVD players only recognise AC3 audio (so this has therefore become my personal preference).
:::* The easiest method for doing this is to use the Avidemux Auto DVD wizard. (Avidemux -> Auto -> Optical Disc -> DVD). Select the appropriate souce and destination ratios. (My source videos are usually already in 16:9 widescreen formats, and I want to make DVDs for my widescreen 16:9 TV. I therefore choose 16:9 for both the "Source Aspect Ratio" and the "Destination Aspect Ratio.") The Auto DVD Wizard uses MP2 audio by default, but I personally like AC3 audio instead (the format usually used on "commercial" DVDs). I therefore change this using the Audio -> AC3 (lav) option.
:::* It is possible to customise (or initially set) the format options manually as well (see the Avidemux documentation). Select the Video (and make sure the aspect ratio is the one you desire in Video -> Configure -> Configuration: DVD -> Aspect Ratio: ''16:9'' ), Audio, and (container) Format options.
::::* To be DVD compliant, the resolution must be
:::::* 352*480 or 720*480 or 704*480 for NTSC
:::::* 352*576 or 720*576 or 704*576 for PAL/SECAM
:::: This is set automatically if using the Auto DVD wizard. If your original video does not already have the correct aspect ratio, you will have to use cropping, scaling, and/or black bar "Filter" options until one of the standard resolutions is achieved.

::* Save the file ( Avidemux -> File -> Save -> Save Video... -> ''myconvertedvideo.mpg'' ) to activate the conversion process. (If prompted whether to "Reuse the existing log file?" answer "No.")

:* Alternatively, mencoder can be used from the command-line to [[#AVI_to_MPG|convert a file to the .mpg format]].

:* Alternatively, FFMPEG can be used from the command-line to [[#Flash_video_.28.flv.29_to_MPG-2_using_FFMPEG|convert a file to the .mpg format]]. A simplified preset option for for conversion to both PAL and NTSC options is available.

* Once all files to be included on the DVD-video have been converted to .mpg files, the utility [[Kubuntu_Precise_Audio_Video_Conversion#DVD_Author|dvdauthor]] can be used for conversion to .vob format (appropriate for writing to the DVD). While this utility can be used from the command-line, "authoring" (conversion) is more easily accomplished using one of several available [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|GUI front-ends]], which allow creation of menus for the DVD as well.

::* With Kubuntu I use KMediaFactory for simple projects. (QDVDAuthor, which is difficult to install in recent Kubuntu versions, is superior and more powerful. [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|KMediaFactory]], in contrast, is in the repositories and is adequate (and quick) for most purposes.
:::* Rename the .mpg files (created with Avidemux or other method) carefully. The filename(s) becomes the Title(s) used by KMediaFactory for the video(s) on the DVD menu.
:::* Set up the DVD menu in KMediaFactory.
::::* KMediaFactory -> Project -> Title -> ''MyDVDTitle'' (this will appear on the DVD Menu at the top)
::::* -> Type: ''DVD-NTSC'' -> Aspect: ''16:9'' -> Destination Folder ''/home/user/DVDs''
:::* Add the .mpg files to the DVD.
::::* KMediaFactory -> Media -> Add Video -> ''MyFirstVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::::* -> Add Video -> ''MySecondVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::* Choose the DVD Menu appearance.
::::* KMediaFactory -> Template -> ''Preview 3''
:::* Choose the output format. For this, I generally create a "DVD folder" which I can then check using [[Kubuntu_Precise_Media_Players#VLC_Multimedia_Player|VLC]] to make sure my DVD looks the way I had intended. (VLC -> Media -> Open Disc... -> Browse... -> ''name_of_folder'' -> Play)
::::* KMediaFactory -> Output -> DVD Folder
:::* Start the conversion ("DVD authoring") process. If an error appears, the problem usually lies in a non-existent (or write-protected) folder having been specified when setting the "Title" options. Make sure the folder has been specified properly. KMediaFactory will then create the standard AUDIO_TS and VIDEO_TS folders in the folder specified.
::::* -> Start

::* In Kubuntu I then use [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|K3b]] to burn the AUDIO_TS and VIDEO_TS folders to a blank DVD. This can be done in K3b using the "New Video DVD Project" (K3b -> More actions... -> New Video DVD Project) using the AUDIO_TS and VIDEO_TS folders as the data. Edit the name of the DVD to reflect the desired DVD name. "Burn" the DVD. The result will be identical to commercial DVDs. (Note: In recent versions of K3b I have had to "Burn" using the "growisofs" Writing app at 8x Speed and DAO (Disc-At-Once) Writing Mode in order to achieve reliable burns. See [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|here]] for more details.)

== Recommended formats ==
* There is only one format that works on all my devices (computer (both Linux and Windows), (Android) tablet, (Android) eBook reader, MP3 player, DVD player):
:* .AVI container with XVID/DivX video codec and MP3lame (MP3) audio codec

:I use this for all my devices, and encode files to about 700 MB. This is a good size that gives good quality and allows me to fit many videos on a single SDcard (which I use in my mobile devices). For most of my devices, a 128 kb MP3 encoding bitrate is sufficient; I previously encoded at 192 kb for MP3lame (which is the default bitrate for AC3 sound), but I find this bitrate to be unnecessary. (The higher the encoding bitrate, the larger the encoded file, and I try to keep all my files around 700 MB.) The .AVI container has several limitations: it does not allow more than stereo audio (i.e. no 5.1 surround sound), does not allow multiple subtitle files, and requires a constant bitrate (CBR) audio channel. For advanced archival purposes it may not be suitable in the long-term, but currently it is desirable for the wide range of devices that accept it. It is also one of the only containers guaranteed to be accepted by Windows computers (since the container is originally a Windows-based format).

* I am also able to use an .MP4 container with X264/H.264 video codec and either the AAC audio codec or the MP3lame (MP3) audio codec on many devices, but not all. Neither the X264/H.264 video nor the AAC audio will play on my DVD player or MP3 player, for example (though it plays on my computer and Android tablet devices).

:* The related .M4V container (the proprietary Apple Quicktime format) works on almost none of my devices, and, furthermore, is difficult to decode and re-encode to a different container. I shun this format like the plague.

* The newer .MKV container, though open source and a superior container, is accepted by very few of my older devices. It does not play on my (older) DVD player or MP3 player, for example (no matter which video and audio codecs are used).

:Nevertheless, most newer DVD players seem to accept the .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. Over the years, however, I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at [http://www.bestbuy.com/site/Philips+-+DVD+Player+with+HD+Upconversion/4983625.p;jsessionid=436B03D27CA483A9AB8EC510D0B2B03C.bbolsp-app01-115?id=1218644449769&skuId=4983625&st=philips&cp=1&lp=15 Best Buy] for $40). I highly recommend this player, therefore, if you find yourself with a large collection of .AVI / XVID video files. However, it does not play MP4 files, which is a drawback. (Note: I am told that [http://www.amazon.com/Philips-Region-1080p-Upconverting-Player/dp/B004BI6MVS/ref=pd_cp_e_0#productDescription this upconverting Philips DVD] player will play region-free, both PAL and NTSC formats, and both MP4 and DivX/XVID codecs.)

* My Android (2.3) tablet devices will also not accept the AC3 audio codec (which is the standard audio used on commercial DVDs, for example), so most of the time I re-encode any files having AC3 audio with the MP3lame audio codec instead.

Template:Video Conversion

Perspectoff — Sat, 27 Apr 2013 21:03:59 GMT

Perspectoff: /* Create a commercial (.vob) format DVD */

= Video Conversion =
This guide does not advocate the illegal duplication of copyrighted content. However, fewer and fewer devices use DVDs any longer, and a large amount of video content is distributed on DVDs. It becomes necessary to convert video content into formats that can be viewed on devices that no longer used DVDs. Furthermore, online content is often in a format that is not universally playable and this also requires conversion. Trying to select and encode a video into a format which your device accepts is not always a straightforward task.

== Introduction ==
There are lots of video and audio codecs and lots of methods and preferences for converting between formats. These are only some basic examples. A good deal of trial and error is often required for successful video conversion.

* Mencoder and FFMPEG are the two packages that are the workhorses of video conversion. Of these, mencoder is faster and generally gives better results.

* [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]] uses a streaming algorithm and FFMPEG to "rip" DVDs and can work with many different encryption methods. It uses the (superior, open source) [http://en.wikipedia.org/wiki/Matroska .MKV] container only, however (which is not supported by many devices). It also does not support [http://en.wikipedia.org/wiki/Xvid XVID] (and uses either [http://en.wikipedia.org/wiki/X264 X264/H.264] or [http://en.wikipedia.org/wiki/MPEG-4_Part_14 MP4] video codecs) and therefore its video output is also not universally accepted by a wide range of devices. As these standards become more widely accepted, however, this will be an invaluable encoding tool. On rare occasions I rip a video with Handbrake (to .MKV and H.264/MP3) and then convert it to .AVI (XVID/MP3) in a second step (using mencoder).

* When I originally wrote these articles, .MKV was accommodated by only a handful of DVD players. A recent survey of new DVD players shows that most (including widely available inexpensive DVD players) will now play files in .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. However, over the years I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at Best Buy for $40). I highly recommend this player if you find yourself with a large collection of .AVI / XVID video files.

== Mencoder ==
[http://www.mplayerhq.hu/DOCS/HTML/en/mencoder.html Mencoder] is part of the [http://www.mplayerhq.hu/DOCS/HTML/en/index.html MPlayer] set of libraries (that also uses several of the FFMPEG libraries) for audio/visual conversion. If it is not installed on your system, install it:
sudo apt-get install mencoder

Usage instructions can be found from the command-line (''man mencoder'') or [http://linux.die.net/man/1/mencoder here].

=== MP4 with AAC audio to AVI with Xvid / MP3 ===
* The [http://en.wikipedia.org/wiki/Advanced_Audio_Coding#Licensing_and_patents AAC audio codec] is not compatible with many DVD players and devices due to licensing restrictions, whereas the MP3 audio codec is nearly universally accepted. Xvid is the open source version of the DivX video codec and is accepted by a very large number of DVD players and other devices (even older ones, especially those displaying the DivX logo).

* The [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container only allows a [http://en.wikipedia.org/wiki/Constant_bitrate constant bitrate], so the MP3 audio must be encoded at CBR. If the AAC is [http://en.wikipedia.org/wiki/5.1_surround_sound 5.1], it will be downcoded to stereo for MP3.

* This example is a two-pass technique that allows the file size to be specified and quality optimized for that filesize (using the information generated in the first pass). In this example, a 700 MB file is desired (and is specified by the negative value).

This information is from [http://en.gentoo-wiki.com/wiki/HOWTO_Mencoder_Introduction_Guide#XviD the Gentoo Wiki for Xvid and mencoder].

mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

=== Remove MKV subtitles and convert to AVI (XVID/MP3) ===
Mastroska container ([http://en.wikipedia.org/wiki/Matroska .MKV]) video files can have multiple subtitles included. In the default conversion from an .MKV container format to an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container format, the default subtitle file of the .MKV container is automatically hardcoded into the converted .AVI file, which may be undesirable. To overcome this behaviour (so that the converted .AVI has no subtitles), use the ''-sid 999'' option:

mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=1 -o /dev/null
mencoder <input.mkv> -sid 999 -ovc xvid -oac mp3lame -lameopts cbr:br=192 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

* To hardcode one of the subtitle tracks onto the .AVI video from the .MKV video, choose the subtrack ID, such as ''-sid 0'' or ''-sid 1''.

* If using NTFS and the error

Too many audio packets in the buffer: (4096 in 837540 bytes).
> Maybe you are playing a non-interleaved stream/file or the codec
> failed? For AVI files, try to force non-interleaved mode with the
> -ni option.

appears, then add these options:
-mc 0 -ofps 24000/1001 -noskip

=== DVD to AVI with Xvid / MP3 ===
* See the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-dvd-mpeg4.html mencoder documentation].
* Extract a video (in the .vob format) from a DVD to a file with an [http://en.wikipedia.org/wiki/Audio_Video_Interleave .AVI] container and [http://en.wikipedia.org/wiki/Xvid XVID]/DivX video and [http://en.wikipedia.org/wiki/LAME .MP3] audio using this (2-pass conversion) command:
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -vobsub 999 -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -o <output.avi>

where dvd://''1'' indicates the first track of the DVD. If you are not sure which track contains the content you wish to extract to a file, one way to check this is to play the DVD with a media player like VLC, examining the tracks on it:
:VLC -> Media -> Open Disc... -> Play -> Playback -> Navigation

or from the command line install lsdvd (''sudo apt-get install lsdvd'') and use it:
lsdvd -v -t 1 /dev/dvd

This will show a list of the title numbers (for the content tracks) on the DVD (and information about them). Use the title number for the content to be extracted.

* Conversion is much faster when done from from a hard drive than from a physical DVD. It is possible to copy the VIDEO_TS and AUDIO_TS folders from the physical DVD to a folder on the hard drive. Once you have copied the contents of the DVD to a folder, add the ''-dvd-device /path/to/dvd_folder'' option to specify it (with the same options as above in addition to the new one):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder''

* Note the ''-vobsub 999'' option to prevent subtitles from being automatically added. (If you wish to hardcode subtitles, use the number of the subtitle track, such as ''-sid 0'' or ''-vobsubid 0'' for the default subtitle track or ''-sid 1'' or ''-vobsubid 1'' for the next subtitle track.)

* Other options for video cropping and scaling can be used. See [http://www.axllent.org/docs/video/mencoder_dvd_to_mpeg4 these hints] and [http://savvyadmin.com/tag/xvid/ these tips], as well as [[#Resize_a_video|this section]].

* When better audio quality is desired, an audio [http://en.wikipedia.org/wiki/Bit_rate bitrate] more than 128 kb/sec can be used (e.g. ''br=160'' or ''br=192''), but this will give a larger file (or will decrease video quality if the filesize remains constant). cbr (constant bitrate) is used for mp3lame encoding in .AVI; I generally increase the volume of the video by 30% using the vol=3 option, as well. My final audio command therefore usually ends up: ''-oac mp3lame -lameopts cbr:br=128:vol=3''.

* If there are multiple audio tracks, the audio track can be selected with the ''-aid 1'' (or similar) option, specifying the number of the desired audio track. (Note: check audio track numbering carefully.) The English default audio track is usually ''-aid 128''. To show information about the audio tracks, use
lsdvd -a -t 1 /dev/dvd

* Although the ''bitrate=-700000'' option specifies a target file size of 700000 (approx. 700 MB), this actually results in a file size of nearly 800 MB. Specify a target filesize about 15% less than actually desired, therefore. For a target 700 Mb file, for example, I use ''bitrate=-620000''.

* For XVID there is an option to allow video seeking (for fast forwarding or rewinding) in 1 second increments (instead of the default 10 second increments): ''-xvidencopts max_key_interval=25'' (seek every 25 frames instead of the default 250 frames). This would be included as part of a more complex option string, such as ''-xvidencopts pass=2:max_key_interval=25:bitrate=-620000''.

* In order to play the converted .AVI file on my older DVD players and televisions (and avoid significant motion artifacts and pixelation), I find that I must use deinterlacing. Only two interlacing methods have worked well for me: ''-vf pp=lb'' or ''-vf yadif=0''. There are many methods of deinterlacing for mencoder, however (see [http://guru.multimedia.cx/deinterlacing-filters/ here] and [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html here], for example). Deinterlacing may not be necessary for your needs (when used for archival purposes only, for example, or if viewing files with media players (such as VLC) that already have built-in deinterlacing capabilities). Often recommended when ripping NTSC-format movies (progressive or telecined) is to include the option ''-vf pullup,softskip,harddup'', which must be used with a deinterlacing filter, such as ''-vf pullup,softskip,pp=lb,harddup'' (or ''-vf pullup,softskip,yadif=0,harddup''). The order of the telecine/progressive option, the deinterlacing option, and any cropping or scaling options is very specific -- read the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-telecine.html#menc-feat-telecine-encode mencoder documentation] carefully when mixing these options. Specifically, cropping and scaling (when used) should be done after the telecine/progressive/deinterlacing options but before the frame duplication option, e.g. ''-vf pullup,softskip,pp=lb,crop=720:416:0:80,scale=704:304,harddup''.

* Note: You will need [[Kubuntu_Precise_Audio_Video_Conversion#libdvdcss|libdvdcss2]] installed on your system to access DVD data. If your DVD has encryption that is not able to be decrypted by libdvdcss, then consider using [[Kubuntu_Precise_Audio_Video_Conversion#Handbrake|Handbrake]], which uses a streaming algorithm to "rip" DVDs.

* This is the 2-pass command I end up using most often (with 4:3 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

* This is the 2-pass command I end up using most often (with 16:9 NTSC videos):
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=1 -o /dev/null
mencoder dvd://''1'' -dvd-device ''/path/to/dvd_folder'' -vf pullup,softskip,pp=lb,scale=648:364,harddup -vobsub 999 -aid 128 -ovc xvid -oac mp3lame -lameopts cbr:br=128:vol=3 -xvidencopts pass=2:max_key_interval=25:bitrate=-620000 -o <output.avi>

:The scale option is set so that I can play the video on analogue televisions with overscan (I still have a few of those). However, an alternative is to use ''scale=720:406'' for use on most widescreen TVs.

==== Using k9copy as a conversion front-end ====
* [[Kubuntu_Precise_Audio_Video_Conversion#K9copy_.28DVD_Ripper.29|k9copy]] is a good front-end for mencoder (as well as ffmpeg).
* To add an option to encode to XVID from an NTSC DVD (when using mencoder within k9copy), I add the necessary options to the Video codecs section:
:k9copy -> Configure k9copy -> Encoders -> ''mencoder'' -> Add -> label: ''XVID from NTSC'' -> first pass ->
-ovc xvid -xvidencopts bitrate=$VIDBR:turbo:pass=$PASS:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

The same command is entered for the "second pass" option as well. For the "one pass" option enter:
-ovc xvid -xvidencopts bitrate=$VIDBR:aspect=$ASPECT -vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup

* To then use this new Video codec option, make sure it is selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Video -> Codec -> ''XVID from NTSC'' -> 2 pass (''ticked'') -> Apply

At the same time, the MP3 (lame) Audio codec option can be selected:
:k9copy -> Configure k9copy -> MPEG-4 -> Audio -> Codec -> ''mp3 (lame)'' -> OK

* Now when the Output: ''MPEG-4 encoding'' is selected from the main screen, this "XVID from NTSC" Video encoding option will be used.

* Note that the ''-vf pullup,softskip,pp=lb,crop=$CROPWIDTH:$CROPHEIGHT:$CROPLEFT:$CROPTOP,scale=$WIDTH:$HEIGHT,dsize=$ASPECT,harddup'' option can be used with any Video codec, not just XVID.

=== AVI to MPG ===
* The MPG format is sometimes useful for creating DVDs (using the [http://en.wikipedia.org/wiki/MPEG-1 MPEG-1] or [http://en.wikipedia.org/wiki/MPEG-2 MPEG-2] video codec, which can be then used for vob files using [[Ubuntu:All#DVD_Author|QDVDAuthor]] or [[Ubuntu:All#ToVid|ToVid]]). If the audio codec of the AVI file is already AC3 or MP3, it usually can be copied. This example is take from the [http://www.mplayerhq.hu/DOCS/HTML/en/menc-feat-mpeg.html MPlayer/Mencoder documentation]. Example:

mencoder <input.avi> -of mpeg -ovc lavc -lavcopts vcodec=mpeg1video -oac copy -o <output.mpg>

=== Increase volume ===

* Use the ''-af volume=3:0'' option, where the first number (3 in the example) is the number of decibels to increment the volume (a 3 db increment doubles the volume), and the second number is 0 for hard-clipping and 1 to allow software-based clipping (to prevent oversaturation when the sound becomes too loud).

For example, if I want to double the sound volume of my .AVI video:

mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128 -af volume=3:0 -o <output.avi>

* This can also be done when encoding to the mp3lame audio codec by adding an option to the mp3lame options:
mencoder <input.avi> -ovc copy -oac mp3lame -lameopts cbr:br=128:vol=3 -o <output.avi>

:where ''vol=3'' can be set to any value between -10 and 10. I use ''vol=3'' to increase the volume 30%. (This method works best for me.)

=== Add subtitles to video ===
* [http://en.wikipedia.org/wiki/SubRip .srt] subtitle files are essentially text files with time stamps. They are meant to be used with digital video files (such as .AVI files) and are different from the image-based .idx / .sub subtitle files (vobsub) used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs.

* Using mencoder:
mencoder -ovc [codec] [codec opts] -oac copy -sub [sub file.srt] -subfont-text-scale [3 normally]

In the example above, this would be:
mencoder <input.mp4> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-700000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

*Note: When adding subtitles to an .AVI video, you must transcode it completely. It is not sufficient to merely add the subtitle track as listed above -- the entire video must be re-transcoded. So, for example:

mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=1 -o /dev/null
mencoder <input.avi> -ovc xvid -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -sub <subtitles.srt> -subfont-text-scale 3 -o <output.avi>

=== Trim a video ===
*Using mencoder:

mencoder <input.avi> -ovc copy -oac mp3lame -ss 01:57:12 -endpos 00:04:08 -o <output.avi>

where -ss indicates the start position of the clip (hh:mm:ss) and -endpos indicates how long the clip should be. (I use mp3lame for the audio codec because YouTube accepts that.)

=== Resize a video ===
*Using mencoder:
mencoder <input.avi> -ovc xvid -vf scale=320:240 -oac mp3lame -lameopts cbr:br=128 -xvidencopts pass=2:bitrate=-1400000 -o <output.avi>

where -vf scale=320x240 indicates that the resulting video should be of that size. The position of the suboption in the command string is important.

* [http://en.wikipedia.org/wiki/High-definition_television HDTV] resolution is usually 1920 x 1080 ("1080p") or 1280 x 720 ("720p"). A [http://en.wikipedia.org/wiki/Standard-definition_television standard definition] widescreen TV has a maximum height of "480p" (usually 853 x 480 but sometimes 720 x 406). The standard width:height [http://en.wikipedia.org/wiki/Aspect_ratio_%28image%29 aspect ratio] for cinema is 1.85:1, whereas the average aspect ratio for widescreen movies distributed for display on television is 16:9 (1.78:1). When resizing a video, it is good to know the original dimensions of the video and maintain the width to height aspect ratio in the chosen scale.

:*Example: A video is distributed as 1280 x 692 (which has an aspect ratio of 1.85:1). The device (a low resolution television) on which it is to be displayed has a maximum width of 720. The desired resolution would then be 720 x 390 to keep the aspect ratio at approximately 1.85:1. The option would then be ''-vf scale=720:390''. An analog television would require 10% [http://en.wikipedia.org/wiki/Overscan overscan], making the maximum width 648. To keep an aspect ratio of 1.85:1 would require a resolution of 648 x 350, or a scale option of ''-vf scale=648:350''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on a television with a maximum width of 720p, which would require a final resolution of 720 x 406 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=720:406''.

:*Example: An HQ video is distributed as 1920 x 1080 (which has an aspect ratio of 16:9). It is desired to view the video on an analogue television with 10% [http://en.wikipedia.org/wiki/Overscan overscan], which would require a final resolution of 648 x 364 to maintain an aspect ratio of 16:9. The scale option would be ''-vf scale=648:364''.

* [http://en.wikipedia.org/wiki/Standard-definition_television "Standard" definition] [http://en.wikipedia.org/wiki/Analog_television analog television] has a 4:3 ratio, for which a scale of 640:480 (''-vf scale=640:480'') is generally preferable.

=== Convert to .MP3 audio file ===
* I find [[#Convert_to_.MP3_audio_file_using_FFMPEG|FFMPEG]] to be easier for this task.

* (''Under construction'') To use Mplayer to extract audio to pcm .wav file:
mplayer <input.avi> -vc null -oa pcm -aofile -ss 1441.4 -endpos 260.1 <output.wav>

*Then convert the .wav file to .mp3 with your favourite converter (such as SoundConverter).

=== Change audio track of video ===
* In general, [[All#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a good video editor for most needs, including muxing and demuxing video and audio.

* For a quick method to change the audio for a video, I like to merely remove the audio from the original video file using the ''-nosound'' option, for example:

mencoder <input.avi> -ovc copy -nosound -o <outputnosound.avi>

* Then, I add a new audio file as the audio track to the video using the ''-audiofile'' option. For example, if I now want to add an .mp3 audio track named <newaudio.mp3>, I would use the command:

mencoder <outputnosound.avi> -ovc copy -oac mp3lame -audiofile <newaudio.mp3> -o <output.avi>

== FFMPEG ==
[http://ffmpeg.org/ FFMPEG] is the swiss-army knife of video and audio format conversion. It succeeds when no other program can. It is free and open source. If it not yet installed on your system as part of another package (it is used by many video/audio editors), then install it:
sudo apt-get install ffmpeg

*To convert many different formats, read the [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html FFMPEG documentation]. Also see [http://howto-pages.org/ffmpeg/ this tutorial].

=== Flash video (.flv) to MPG-2 using FFMPEG ===
* To convert a saved Flash video (.flv) to an MPEG-2 format playable on a DVD, convert:
ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd ''samplevideo.mpg''

* Then use [[Kubuntu:Oneiric#K3b (CD/DVD burner)|K3b]] (or [[Ubuntu:Oneiric#Gnomebaker (CD/DVD burner)|Gnomebaker]]) to write the mpg file to a New DVD Data Project.

:*For PAL use -target pal-dvd. For widescreen, use -target film-dvd. For other conversion tips, see [http://ubuntuforums.org/archive/index.php/t-1006250.html this forum]. (Note: Most Flash video has very low resolution, with a screen size of 360x270, for example. You may see a slight diminishment in resolution if you wish to convert it to 720x480 (which is the NTSC standard size) or other screen size. You can keep the original screen size and resolution by omitting the -target parameter.) If your original file is 16:9 widescreen and you desire a 4:3 letterbox output for playing on an overscanned TV, you may need to pad the file so that the widescreen is not compressed (see [http://ubuntuforums.org/showthread.php?t=1010648 this forum]):

ffmpeg -i ''samplevideo.flv'' -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 ''samplevideo.mpg''

* You can also use the WinFF GUI and add the command (as above) as a "Preset," for subsequent use. For example:
:Video converter (WinFF) -> Edit -> Presets ->
:: Preset Name: Letterbox -> Preset Label: 16:9 Widescreen to 4:3 Letterbox
:: Preset command: -target ntsc-dvd -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58
::Ouput file extension: mpg -> Category: DVD
:::-> Add/Update -> Save

*To convert to MPEG-4 (mp4) files, use
ffmpeg -i ''samplevideo.flv'' ''outputvideo.mp4''

* FFMPEG requires that multiple [[Kubuntu:Oneiric#Restricted Extras|restricted extra codecs]] be installed. This can be done in a single easy step from the command-line Terminal:
sudo apt-get install kubuntu-restricted-extras
:or
sudo apt-get install ubuntu-restricted-extras

=== Convert to .MP3 audio file using FFMPEG ===
==== Convert Flash video audio to mp3 ====
* Once you have downloaded flash video content (.flv) from the Internet (using the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video Download Helper plug-in for Firefox]], for example), the audio component can be converted to an mp3 using this command (from the command line Terminal). (This will work for any type of video file, not just Flash.)
ffmpeg -i ''nameofvideoclip.flv'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''

:where -i indicates the input, -ab indicates the bit rate (in this example 160kb/sec), -vn means no video ouput, -ac 2 means 2 channels, -ar 44100 indicates the sampling frequency. See [http://ffmpeg.mplayerhq.hu/ffmpeg-doc.html#SEC11 FFMPEG docs] for more info.

If I only want a segment of the video to be converted, I can use the time markers:
ffmpeg -i ''nameofvideoclip.flv'' -ss ''00:00:09'' -t ''00:03:00'' -ab 160k -ac 2 -ar 44100 -vn ''nameoffile.mp3''
:where -ss ''00:00:09'' indicates the point in the video (hh:mm:ss) at which to start conversion and -t ''00:03:00'' indicates the amount of time (from the start point) to convert.

* As long as [[#FFMPEG|FFMPEG]] is already installed, the [[Kubuntu:Oneiric#Video_DownloadHelper_plug-in_for_Firefox|Video DownloadHelper plug-in for Firefox]] already has an option to automatically convert an online video (such as those found at YouTube) into an .MP3 file. (Settings are adjustable.) From the DownloadHelper icon in Firefox, highlight the video to convert, then
:DownloadHelper icon -> Download and Convert -> Converter options: MP3

=== Edit/convert screencapture with FFMPEG ===
''Note: This section under construction.''

*Note: I now recommend using [[Video_Conversion|mencoder for all video conversion]] techniques. It uses some of the ffmpeg libraries but is faster and gives more reliable and high-quality results.

*This is only one example of a wide variety of techniques. Once I have a [[Screencasts#FFMPEG_with_x11grab|captured video]], I want to convert it to XVID video (which is the format my older DVD player accepts) and MP3 audio (mp3lame), which I will place in an AVI container (which my DVD player also accepts).

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -acodec libmp3lame -ss 00:00:09 -t 00:03:00 ''Punchcast2.avi''

I will start conversion (-ss) at second 9 (to eliminate unimportant things at the beginning) and convert 3 minutes (-t) of video (00:03:00).

* I happen to watch my screencasts on my old-fashioned 4:3 television. To do that, I make a letterboxed video:

ffmpeg -i ''Punchcast1.avi'' -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -padleft 36 -padright 36 -padtop 58 -padbottom 58 -acodec libmp3lame ''Punchcast3.avi''

My laptop screen is 1366x768, which I reduce to a size of 648x364. My TV wants 720x480, so I pad the sides and top/bottom. Why not a width of 720 initially? My older television has 10% overscan, which cuts off 10% of the video. I therefore use (at least) 10% padding on the edges.

In newer versions of FFMPEG, the padding (and many other) options have changed. The proper command is now:
ffmpeg -i Punchcast1.avi -vcodec mpeg4 -vtag xvid -ss 00:00:09 -t 00:03:00 -s 648x364 -vf pad 720:480:36:58 -acodec libmp3lame Punchcast3.avi

ffmpeg movie=Punchcast1.avi:seek_point=9 -vcodec copy -acodec libmp3lame Punchcast1f.avi

=== WinFF (FFMPEG GUI) ===
[http://winff.org WinFF] is a free, GPL-licensed open source GUI frontend for FFMPEG. Install:
sudo apt-get install winff xterm
Run:
:Menu -> Applications -> Sound & Video -> WinFF

== VobSub2SRT (Convert subtitles from .sub/.idx to .srt) ==
* [https://github.com/ruediger/VobSub2SRT VobSub2SRT] is a simple (GPLv3-licensed) command line program to convert the image-based .idx / .sub subtitle files (used with the [http://en.wikipedia.org/wiki/VOB .vob] format found on commercial DVDs) into text-based [http://en.wikipedia.org/wiki/SubRip .srt] text subtitle files by using OCR. It is based on code from the [[Ubuntu:All#MPlayer_Multimedia_Player|MPlayer]] project, [[Ubuntu:All#Tesseract_.28Optical_Character_Reader.29|Tesseract]] as OCR software, and libavutil (part of the [[Ubuntu:All#FFMPEG_video_.2F_audio_conversion|FFmpeg]] project). Install the (K)Ubuntu/Debian (.deb) package from a PPA repository:
sudo add-apt-repository ppa:ruediger-c-plusplus/vobsub2srt
sudo apt-get update
sudo apt-get install vobsub2srt

* Alternatively, you can download and build a version from source code.
:* Install dependencies:
sudo apt-get install pkg-config build-essential cmake libavutil-dev libtesseract-dev

:* For (K)Ubuntu 12.10 (Quantal) also install:
sudo apt-get install libtiff5-dev tesseract-ocr-eng

:* For (K)Ubuntu 12.04LTS (Precise) also install:
sudo apt-get install libtiff4-dev tesseract-ocr tesseract-ocr-eng 

::* If you will be converting subtitles in languages other than English, you must install tesseract for any or all of those languages as well:
sudo apt-get install tesseract-ocr-vie tesseract-ocr-deu tesseract-ocr-fra tesseract-ocr-ita
sudo apt-get install tesseract-ocr-nld tesseract-ocr-spa tesseract-ocr-por tesseract-ocr-deu-f
::where vie is for Vietnamese, deu is for German, fra is for French, ita is for Italian, nld is for Dutch, spa is for Spanish, por is for Portugeuse, and deu-f is for German Fraktur script. If you don't you will get an error of the type: ''Unable to load unicharset file /usr/share/tesseract-ocr/tessdata/xxx.unicharset''.

:* Download and unzip the VobSub2SRT .zip file into its own directory:
mkdir vobsub2srt
cd vobsub2srt
wget -O vobsub2srt-current.zip <nowiki>https://github.com/ruediger/VobSub2SRT/zipball/ca53a18108eb08d6e2b853643d8c6838e2489823</nowiki>
unzip vobsub2srt-current.zip
rm vobsub2srt-current.zip

:* This will create a subdirectory with the current version. For example, my version is ''vobsub2srt/ruediger-VobSub2SRT-ca53a18''. Change into that directory then compile and install the program.
cd ''ruediger-VobSub2SRT-ca53a18''
./configure
make
sudo make install

:* This should install the program vobsub2srt to /usr/local/bin. You can uninstall vobsub2srt with ''sudo make uninstall''. You can build a *.deb package (Debian/Ubuntu) with ''make package''. The package is created in the build directory.

* Convert the .sub / .idx pair of subtitle files (named ''Filename.sub'' and ''Filename.idx'') into a .srt sbutitle file (named ''Filename.srt''):
vobsub2srt ''Filename''

:where Filename is the file name of the subtitle files WITHOUT the extension (.sub / .idx).

*If there are multiple languages in the .sub / .idx pair of subtitle files, you can select which language to convert (using the 2-letter [http://en.wikipedia.org/wiki/ISO_639-1 ISO 639-1] language code, e.g. en, fr, de, it, es, pt, etc.):
vobsub2srt --lang en ''Filename''

* Edit the .srt subtitle file for OCR mistakes (use the ''gedit'' text editor instead of ''kate'' if using Ubuntu instead of Kubuntu):
kate ''Filename.srt''

== Join .MPG video segments ==
Individual video segments (MPEG-2, for example) can easily be joined:
cat ''samplevideo1.mpg'' ''samplevideo2.mpg'' ''samplevideo3.mpg'' > ''samplevideo123.mpg''

:You can then write the resulting MPEG-2 file to a DVD and play it in most DVD players.

== Split a file into segments ==
Any file can be [http://en.wikipedia.org/wiki/Split_%28Unix%29 split] into segments using the Linux command:
split -b 1440k ''my_big_file''

which will split ''my_big_file'' into equal segments of size 1440 kb.

== Create a commercial (.vob) format DVD ==
* The audiovideo container of commercial DVDs uses the [http://en.wikipedia.org/wiki/VOB .vob format]. This container requires either MPEG-1 or MPEG-2 video (.mpg) and either AC3 or MPEG-2 (.mp2) audio. Therefore, the first step in creating a DVD-video in this format is to convert all audiovisual files (to be included on it) to .mpg files (with one of those video and audio formats), usually with the MPEG-PS (A+V) container. This can be done from the command-line terminal (using mencoder or ffmpeg) or from a GUI utility (such as Avidemux).

:* The GUI utility [[Kubuntu_Precise_Video#Avidemux_.28Video_editor.2Fprocessor.29|Avidemux]] is a GUI utility that has standardised settings for file conversion. [http://avidemux.org/admWiki/doku.php?id=tutorial:converting_to_dvd Here] is the Avidemux tutorial for conversion to a DVD-video.

::* Open the file and allow the time map and Index to be rebuilt.
::* It is best to convert a file (to be included on the DVD) to a format with MPEG-2 (avcodec) video, AC3 (lav) audio, and the MPEG-PS (A+V) container as an intermediate first. The MP2 audio format (the default for Avidemux in "Auto" mode) can also be used, and will result in a much smaller .mpg file then when using AC3 audio, but several of my very old DVD players only recognise AC3 audio (so this has therefore become my personal preference).
:::* The easiest method for doing this is to use the Avidemux Auto DVD wizard. (Avidemux -> Auto -> Optical Disc -> DVD). Select the appropriate souce and destination ratios. (My source videos are usually already in 16:9 widescreen formats, and I want to make DVDs for my widescreen 16:9 TV. I therefore choose 16:9 for both the "Source Aspect Ratio" and the "Destination Aspect Ratio.") The Auto DVD Wizard uses MP2 audio by default, but I personally like AC3 audio instead (the format usually used on "commercial" DVDs). I therefore change this using the Audio -> AC3 (lav) option.
:::* It is possible to customise (or initially set) the format options manually as well (see the Avidemux documentation). Select the Video (and make sure the aspect ratio is the one you desire in Video -> Configure -> Configuration: DVD -> Aspect Ratio: ''16:9'' ), Audio, and (container) Format options.
::::* To be DVD compliant, the resolution must be
:::::* 352*480 or 720*480 or 704*480 for NTSC
:::::* 352*576 or 720*576 or 704*576 for PAL/SECAM
:::: This is set automatically if using the Auto DVD wizard. If your original video does not already have the correct aspect ratio, you will have to use cropping, scaling, and/or black bar "Filter" options until one of the standard resolutions is achieved.

::* Save the file ( Avidemux -> File -> Save -> Save Video... -> ''myconvertedvideo.mpg'' ) to activate the conversion process. (If prompted whether to "Reuse the existing log file?" answer "No.")

:* Alternatively, mencoder can be used from the command-line to [[#AVI_to_MPG|convert a file to the .mpg format]].

:* Alternatively, FFMPEG can be used from the command-line to [[#Flash_video_.28.flv.29_to_MPG-2_using_FFMPEG|convert a file to the .mpg format]]. A simplified preset option for for conversion to both PAL and NTSC options is available.

* Once all files to be included on the DVD-video have been converted to .mpg files, the utility [[Kubuntu_Precise_Audio_Video_Conversion#DVD_Author|dvdauthor]] can be used for conversion to .vob format (appropriate for writing to the DVD). While this utility can be used from the command-line, "authoring" (conversion) is more easily accomplished using one of several available [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|GUI front-ends]], which allow creation of menus for the DVD as well.

::* With Kubuntu I use KMediaFactory for simple projects. (QDVDAuthor, which is difficult to install in recent Kubuntu versions, is superior and more powerful. [[Kubuntu_Precise_Audio_Video_Conversion#Other_DVD_authoring_programs|KMediaFactory]], in contrast, is in the repositories and is adequate (and quick) for most purposes.
:::* Rename the .mpg files (created with Avidemux or other method) carefully. The filename(s) becomes the Title(s) used by KMediaFactory for the video(s) on the DVD menu.
:::* Set up the DVD menu in KMediaFactory.
::::* KMediaFactory -> Project -> Title -> ''MyDVDTitle'' (this will appear on the DVD Menu at the top)
::::* -> Type: ''DVD-NTSC'' -> Aspect: ''16:9'' -> Destination Folder ''/home/user/DVDs''
:::* Add the .mpg files to the DVD.
::::* KMediaFactory -> Media -> Add Video -> ''MyFirstVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::::* -> Add Video -> ''MySecondVideofile.mpg'' -> VideoProperties: Aspect ratio: ''16:9''
:::* Choose the DVD Menu appearance.
::::* KMediaFactory -> Template -> ''Preview 3''
:::* Choose the output format. For this, I generally create a "DVD folder" which I can then check using [[Kubuntu_Precise_Media_Players#VLC_Multimedia_Player|VLC]] to make sure my DVD looks the way I had intended.
::::* KMediaFactory -> Output -> DVD Folder
:::* Start the conversion ("DVD authoring") process. If an error appears, the problem usually lies in a non-existent (or write-protected) folder having been specified when setting the "Title" options. Make sure the folder has been specified properly. KMediaFactory will then create the standard AUDIO_TS and VIDEO_TS folders in the folder specified.
::::* -> Start

::* In Kubuntu I then use [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|K3b]] to burn the AUDIO_TS and VIDEO_TS folders to a blank DVD. This can be done in K3b using the "New Video DVD Project" (K3b -> More actions... -> New Video DVD Project) using the AUDIO_TS and VIDEO_TS folders as the data. Edit the name of the DVD to reflect the desired DVD name. "Burn" the DVD. The result will be identical to commercial DVDs. (Note: In recent versions of K3b I have had to "Burn" using the "growisofs" Writing app at 8x Speed and DAO (Disc-At-Once) Writing Mode in order to achieve reliable burns. See [[Kubuntu_Precise_Audio_Video_Conversion#K3b_.28CD.2FDVD_burner.29|here]] for more details.)

== Recommended formats ==
* There is only one format that works on all my devices (computer (both Linux and Windows), (Android) tablet, (Android) eBook reader, MP3 player, DVD player):
:* .AVI container with XVID/DivX video codec and MP3lame (MP3) audio codec

:I use this for all my devices, and encode files to about 700 MB. This is a good size that gives good quality and allows me to fit many videos on a single SDcard (which I use in my mobile devices). For most of my devices, a 128 kb MP3 encoding bitrate is sufficient; I previously encoded at 192 kb for MP3lame (which is the default bitrate for AC3 sound), but I find this bitrate to be unnecessary. (The higher the encoding bitrate, the larger the encoded file, and I try to keep all my files around 700 MB.) The .AVI container has several limitations: it does not allow more than stereo audio (i.e. no 5.1 surround sound), does not allow multiple subtitle files, and requires a constant bitrate (CBR) audio channel. For advanced archival purposes it may not be suitable in the long-term, but currently it is desirable for the wide range of devices that accept it. It is also one of the only containers guaranteed to be accepted by Windows computers (since the container is originally a Windows-based format).

* I am also able to use an .MP4 container with X264/H.264 video codec and either the AAC audio codec or the MP3lame (MP3) audio codec on many devices, but not all. Neither the X264/H.264 video nor the AAC audio will play on my DVD player or MP3 player, for example (though it plays on my computer and Android tablet devices).

:* The related .M4V container (the proprietary Apple Quicktime format) works on almost none of my devices, and, furthermore, is difficult to decode and re-encode to a different container. I shun this format like the plague.

* The newer .MKV container, though open source and a superior container, is accepted by very few of my older devices. It does not play on my (older) DVD player or MP3 player, for example (no matter which video and audio codecs are used).

:Nevertheless, most newer DVD players seem to accept the .MKV format. In fact, it is now difficult to find DVD players that will still play .AVI with XVID / DivX video. Over the years, however, I have accumulated a very large collection of .AVI / XVID / MP3 videos. In 2013, the only DVD player I could find that would play them all was the Philips DVP3680/F7 DVD Player with HD Upconversion (which I found at [http://www.bestbuy.com/site/Philips+-+DVD+Player+with+HD+Upconversion/4983625.p;jsessionid=436B03D27CA483A9AB8EC510D0B2B03C.bbolsp-app01-115?id=1218644449769&skuId=4983625&st=philips&cp=1&lp=15 Best Buy] for $40). I highly recommend this player, therefore, if you find yourself with a large collection of .AVI / XVID video files. However, it does not play MP4 files, which is a drawback. (Note: I am told that [http://www.amazon.com/Philips-Region-1080p-Upconverting-Player/dp/B004BI6MVS/ref=pd_cp_e_0#productDescription this upconverting Philips DVD] player will play region-free, both PAL and NTSC formats, and both MP4 and DivX/XVID codecs.)

* My Android (2.3) tablet devices will also not accept the AC3 audio codec (which is the standard audio used on commercial DVDs, for example), so most of the time I re-encode any files having AC3 audio with the MP3lame audio codec instead.

Template:U Raring/Requests

Perspectoff — Sat, 27 Apr 2013 04:47:52 GMT

Perspectoff: /* Requests */

= Requests =
== Reviews ==
* [http://www.zdnet.com/ubuntu-13-04-raring-ringtail-review-7000014497/ ZDNet's Review] of Ubuntu Raring

== eBook version of this guide ==
* See the [[eBooks|Books Category]] for free Ubuntu eBooks based on this help guide.
* There is an option in the menu bar at the left entitled "Printable version" which formats pages for easier printing. You can print this (or any other document) to a PDF file easily. By default, Ubuntu includes a "Print to File" option from its Print menu. Use this option to print anything appearing in your browser into a PDF file. From Firefox (or any other browser or program):
:::File -> Print -> Print to File -> Output Format: PDF

== Import this guide into another wiki ==
* How do I import a copy of Ubuntuguide into my own wiki?
:See [[Ubuntuguide XML exports|this page]].

== Other requested topics ==
Place your requests here.

* How can I [[Advertise_with_Us|sponsor]] Ubuntuguide/Kubuntuguide?

* How can I contribute?
:[[Special:UserLogin|Register]] and then add your suggestions directly to the wiki.

Template:Public Service Announcement

Perspectoff — Sat, 27 Apr 2013 03:57:42 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
     ... and plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows [http://en.wikipedia.org/wiki/Big_Brother_%28Nineteen_Eighty-Four%29 Big Brother] monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live [http://www.guardian.co.uk/commentisfree/2013/apr/18/cispa-2013-house-vote-internet-privacy in Michigan] you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 17:26:51 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
     ... and plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live [http://www.guardian.co.uk/commentisfree/2013/apr/18/cispa-2013-house-vote-internet-privacy in Michigan] you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 17:08:49 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
     ... and be sure to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live [http://www.guardian.co.uk/commentisfree/2013/apr/18/cispa-2013-house-vote-internet-privacy in Michigan] you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:58:13 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
     ... and be sure to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:56:54 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
     Also, be sure to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:55:57 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
    Also, be sure to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:55:09 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
<br>
    Also, be sure to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:54:03 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
    Also, be sure to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:51:56 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
:Don't forget to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:51:22 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]...<br>
Don't forget to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>

Template:Public Service Announcement

Perspectoff — Mon, 22 Apr 2013 14:50:40 GMT

Perspectoff: /* Public Service Announcement */

== Public Service Announcement ==
<center>------------</center>
* Support [http://en.wikipedia.org/wiki/Earth_Day Earth Day] on 22 April 2013 and do your part to reduce energy consumption (and CO2 emissions) and help reduce the rate of global warming. Perhaps consider a low-power computer, such as those from [http://aleutia.com/products Aleutia] or [http://www.fit-pc.com Fit-PC]. Maybe browse a news website dedicated to energy efficiency, such as [http://www.environmentalleader.com/category/smart-grid/ Enviornmental Leader]... Don't forget to plant some trees.
<center>------------</center>
* In the United States, two legislative bills, [https://en.wikipedia.org/wiki/Stop_Online_Piracy_Act SOPA] and [https://en.wikipedia.org/wiki/PROTECT_IP_Act PIPA], were defeated after close examination and widespread public outcry against them. In response, a new legislative bill with even more ominous consequences to the usage and functioning of the Internet, [https://en.wikipedia.org/wiki/Cyber_Intelligence_Sharing_and_Protection_Act CISPA], has been drafted. This bill allows Big Brother monitoring of every citizen not only by government but also by private agencies. If you are a US citizen, review the implications of this bill and write to your congressperson about the unnecessarily broad and intrusive nature of this bill. Hopefully your representative has more than a 6th-grade education (if you live in Michigan you may be out of luck).
<center>------------</center>